Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Deftone
New Contributor

Created on ‎02-18-2020 11:05 AM

WAN and failover dialup IPSec

Hi everyone,

 

I think I need some help. I will try to explain what I'm trying to achieve.

 

We have a headquarter and three small locations. In our headquarter we have a big FG1500 and on the three small locations we have FGT30E 3G/4G. The locations are connected through eternity circuit and and running OSPF between.

 

On the small locations I configured dial up IPsec through LTE to our main Fortigate with OSPF.

Everything is working fine on sub locations while connected to the ethernet circuit. I learn routes through OSPF as expected and can reach everything.... The default route is learnd from the headquarter Fortigate and that's fine....

 

When I disconnect the ethernet circuit the IPSec kicks in and the routes are learnd through the IPSec interface except the default route... Instead of learning my default route form the main Fortigate the default route from the LTE is injected in to the routing table with a distance of 10 I tried to change the distance under the LTE interface but then my IPSec goes down...

 

Someone any idea how I can fix that... What I'm trying to achieve is that the small Fortigate learns the same subnets and default gateway from the main Fortigate on the IPSec as when connected through ethernet circuit

 

Thanks 

4140
0 Kudos
3 Solutions
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-18-2020 12:30 PM

You need to have a /32 static route for the HQ's IP toward the LTE interface to keep the tunnel up. Then you can change the distance higher than OSPF (110).

View solution in original post

3168
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎02-18-2020 01:54 PM

Sorry, I forgot the LTE was backup. So you need two static routes for the HQ IP (public) /32 toward both ethernet (primary VPN path) and LTE (backup VPN path). I would make LTE side with a high-number priority (lower priority) and set up "link-monitor" to remove the primary static route to go away when it lost pinging via the primary Internet.

 

View solution in original post

3168
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Deftone

Created on ‎02-18-2020 03:45 PM

Is your main "ethernet" connection to HQ a point-to-point connection or MPLS? Since you didn't mention in the original post, I assumed it's another VPN over a wired-internet. If p2p or mpls, you don't need the static route for the /32 to the main interface. It's only for VPN to come/stay up while the OSPF default route takes it into the tunnel.

View solution in original post

3168
0 Kudos
7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-18-2020 12:30 PM

You need to have a /32 static route for the HQ's IP toward the LTE interface to keep the tunnel up. Then you can change the distance higher than OSPF (110).

3169
0 Kudos
Deftone
New Contributor
In response to Toshi_Esumi

Created on ‎02-18-2020 01:10 PM

Hi,

 

Thanks for the reply...

Just wondering... Should I create static route to the WAN ip of the HQ towards the IPSec tunnel interface or the wwan interface for LTE

 

For the tunnel interface it would looks like this: 

 

config router static

    edit 0

        set dst 192.168.30.100 255.255.255.255

        set device “TUNNEL_INTERFACE" 

    next

end

3139
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Deftone

Created on ‎02-18-2020 01:47 PM

LTE. That's where the injected default route was pointing to, right? Which would go away when you change the distance.

3139
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎02-18-2020 01:54 PM

Sorry, I forgot the LTE was backup. So you need two static routes for the HQ IP (public) /32 toward both ethernet (primary VPN path) and LTE (backup VPN path). I would make LTE side with a high-number priority (lower priority) and set up "link-monitor" to remove the primary static route to go away when it lost pinging via the primary Internet.

 

3169
0 Kudos
Deftone
New Contributor
In response to Toshi_Esumi

Created on ‎02-18-2020 02:25 PM

Hi, yes the LTE with IPSec is the backup connection. I wonder if it is necessary to add a static route for the ethernet connection towards the HQ. My fortunate is learning all the routes inclusief the default route through ospf. The same happens when I disconnect the WAN. The connection falls over to the IPsec with this exception that the LTE is injecting its own default route to the routing table and this not what I want 

3139
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Deftone

Created on ‎02-18-2020 03:45 PM

Is your main "ethernet" connection to HQ a point-to-point connection or MPLS? Since you didn't mention in the original post, I assumed it's another VPN over a wired-internet. If p2p or mpls, you don't need the static route for the /32 to the main interface. It's only for VPN to come/stay up while the OSPF default route takes it into the tunnel.

3169
0 Kudos
Deftone
New Contributor
In response to Toshi_Esumi

Created on ‎02-19-2020 05:37 AM

That did the trick.. I added a static route on the sub location towards the HQ on the LTE interface and was able to change the distance... Now the right default route is injected in to the routing table.. Thanks for helping!

3139
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.