I have 50+ remote branch offices that use Fortigates with a single WAN connection, which uses one IPsec tunnel back into our Primary HQ. However, we would like to add a second IPsec tunnel as a backup path at another location at Secondary HQ FG. Is there more than one way to set this up? If so, what are those setups, and which is more feasible to do? My end goal is when the IPsec tunnel goes down because Primary HQ route is not active, it should route to the Secondary HQ automatically. Also, FG is running firmware 7.2.
I heard others recommend using two IPsec tunnels and also creating a BGP neighbor as an option. I wasn't sure if there were any other ideas.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you're expecting to fail-over automatically to the secondary path per location basis, you need to have a routing protocol like BGP to advertise the same route over two IPsec tunnels per location. I recommend eBGP (different AS per location) in case you need to connect a remote to a remote now or in the future, to avoid problems come with iBGP (one AS for all locaitons).
I'm assuming you have direct connection between the primary FGT/HQ and the secondary FGT/HQ over a circuit or IPsec tunnel and sharing routes each other. Between them you might choose iBGP(same AS). Or even eBGP would work fine.
In that case, you just need to set the local preference lower than the default 100 on the secondary HQ FGT for the routes coming from all remote locations so that HQ uses the primary route to send traffic toward the remote locations.
On the other hand, at all remote locations, you just need to set the location preference lower than the default 100 on the routes learned over the secondary HQ IPsec. This takes care of the traffic direction from the remote locations to HQ.
Toshi
If you're expecting to fail-over automatically to the secondary path per location basis, you need to have a routing protocol like BGP to advertise the same route over two IPsec tunnels per location. I recommend eBGP (different AS per location) in case you need to connect a remote to a remote now or in the future, to avoid problems come with iBGP (one AS for all locaitons).
I'm assuming you have direct connection between the primary FGT/HQ and the secondary FGT/HQ over a circuit or IPsec tunnel and sharing routes each other. Between them you might choose iBGP(same AS). Or even eBGP would work fine.
In that case, you just need to set the local preference lower than the default 100 on the secondary HQ FGT for the routes coming from all remote locations so that HQ uses the primary route to send traffic toward the remote locations.
On the other hand, at all remote locations, you just need to set the location preference lower than the default 100 on the routes learned over the secondary HQ IPsec. This takes care of the traffic direction from the remote locations to HQ.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.