Site to Site VPN to 2 Fortigates which are Behind LoadBalancer

alihmp2005 · ‎04-23-2024

Hello everyone,

I have a Active/Active Forigate firewalls behind a load balancer in Azure environment, so my External load balancer has only 1 public IP. my question is that how my on-premise fortigate firewall can establish a Site to Site VPN??

When I configure the Site2Site VPN on Fortigate-A everything is fine but as soon I configure Fortigate-B, the tunnel goes down!!!!!!!!!!!!!!!

Thanks,

A

hbac · ‎04-23-2024

Hi @alihmp2005,

If FortiGate-A and FortiGate-B are in HA active-active, you only need to configure VPN on the primary and it will synchronize to the other.

Regards,

alihmp2005 · ‎04-23-2024

Hi hbac,

Thanks for your answer but they are not in HA cluster, both of them are active and ELB distribute the traffic.

hbac · ‎04-24-2024

@alihmp2005,

So you are load balancing traffic to two FortiGates which are not in HA. That doesn't make sense to me. When creating IPsec tunnel when FortiGate A and B, you need to select 'This site is behind NAT'. On prem FortiGate, select 'Remote site is behind NAT' and enable the following options:

config vpn ipsec phase1-interface
edit <name>
set net-device enable
end

config vpn ipsec phase2-interface
edit <name>
set route-overlap allow
end

Regards,

alihmp2005 · ‎04-25-2024

Thanks hbac for your answer, but If instead of On-premise Fortigate, I create Azure VPN gateway(Virtual Network Gateway+Local Network Gateway), then how should I configure that?

thanks