Does anyone have a recommendation on how to set up two IPsec tunnels? The client sites are using Fortigate-60e (Firmware 7.2), which will be using the home WAN internet with a one IPsec tunnel back to our HQ. But we are hoping to add another tunnel to the client fortigate to another backup HQ site in case the primary HQ goes down. Not sure if there is more than one way of doing this.
Solved! Go to Solution.
Oh you can have an identical route to more than one tunnel, but which one gets it will be anyone's guess. With iBGP it will be clear in the routing table that the longer path isn't the one you want, and if/when a link goes down its route will be automatically removed (and they are of course added when a link comes up and BGP finishes it's paperwork).
SLA monitoring for SD-WAN stuff is one of the things you can also do to adjust which of the routes is used (lowest cost, best quality, manual priority etc), and you could have both SLA monitors and BGP involved at the same time (but trying to wrap your head around what happened when will get more complex). Perhaps stick with using just one mechanism to manage this unless you drink loooots of coffee all day.
Hi Brendan,
You may try checking these two articles. Basically, if I understand your query correct, just point the secondary tunnel to your backup HQ.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Implement-IPsec-Backup-Tunnel/ta-p/245084
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Redundant-IPSEC-Tunnel-using-single-WAN-co...
Hope these helps.
Regards,
Denice
Created on 07-01-2024 07:01 AM Edited on 07-01-2024 07:02 AM
Thank you Denice! I did gave those two a look. Will either those reference still work with the scenario I have currently below? All sites only has a single wan connection so I trying to setup client FG1 to have two ipsec tunnels.
FG1 -> WAN1 -> (IPsec Tunnel) Primary HQ FG2
FG1 -> WAN1 -> (IPsec Tunnel) Secondary HQ (Different Location) FG3
Hello Brenden,
Yes, the same concept applies to your setup. For the secondary tunnel, just ensure you are specifying the remote gateway as the IP of the secondary HQ (FG3) but both tunnels can exist on the same WAN interface of FG1.
What you're asking about is not only doable but is also a good idea, although you will probably need to set up iBGP to take full advantage of it.
iBGP will make it so that when your primary IPsec tunnel is down, so long as a route to the same destination network exists (via the BGP-created route) the traffic will be sent along the secondary tunnel instead of just being dropped because of no network path.
Hi Paul,
If I understood correctly, we can have two IPSec Tunnels in this scenario but without routing enabled, the packet will drop because of network path right unless iBGP comes into play. What about using SLA monitoring instead of iBGP? Could that be used instead having to enable routing?
Oh you can have an identical route to more than one tunnel, but which one gets it will be anyone's guess. With iBGP it will be clear in the routing table that the longer path isn't the one you want, and if/when a link goes down its route will be automatically removed (and they are of course added when a link comes up and BGP finishes it's paperwork).
SLA monitoring for SD-WAN stuff is one of the things you can also do to adjust which of the routes is used (lowest cost, best quality, manual priority etc), and you could have both SLA monitors and BGP involved at the same time (but trying to wrap your head around what happened when will get more complex). Perhaps stick with using just one mechanism to manage this unless you drink loooots of coffee all day.
"Oh you can have an identical route to more than one tunnel, but which one gets it will be anyone's guess" - no that's why routes do have a metric. You can specifiy which one to use first by setting priority and/or distance.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.