Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
alihmp2005
New Contributor

Site to Site VPN to 2 Fortigates which are Behind LoadBalancer

Hello everyone,

 

I have a Active/Active Forigate firewalls behind a load balancer in Azure environment, so my External load balancer has only 1 public IP. my question is that how my on-premise fortigate firewall can establish a Site to Site VPN??

 

Topo.png

 

When I configure the Site2Site VPN on Fortigate-A everything is fine but as soon I configure Fortigate-B, the tunnel goes down!!!!!!!!!!!!!!!

 

Thanks,

A

4 REPLIES 4
hbac
Staff
Staff

Hi @alihmp2005,

 

If FortiGate-A and FortiGate-B are in HA active-active, you only need to configure VPN on the primary and it will synchronize to the other.

 

Regards, 

alihmp2005

Hi hbac, 

Thanks for your answer but they are not in HA cluster, both of them are active and ELB distribute the traffic. 

 

Loadbalncing.JPG

hbac

@alihmp2005,

 

So you are load balancing traffic to two FortiGates which are not in HA. That doesn't make sense to me. When creating IPsec tunnel when FortiGate A and B, you need to select 'This site is behind NAT'. On prem FortiGate, select 'Remote site is behind NAT' and enable the following options: 

 

config vpn ipsec phase1-interface
edit <name>
set net-device enable 
end

config vpn ipsec phase2-interface
edit <name>
set route-overlap allow 
end

 

Regards, 

alihmp2005

Thanks hbac for your answer, but If instead of On-premise Fortigate, I create Azure VPN gateway(Virtual Network Gateway+Local Network Gateway), then how should I configure that? 

 

nq.JPG

thanks

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors