Wan2 automatically failover to IPSEC VPN on wan1

noffie · ‎03-28-2016

We just implemented a dedicated connection between two of our plants in difference states. So, our current setup on our 110c at this facility, for example, is this:

[ul]

wan1 is internet connection

wan2 is a direct connection to the other plant

there is an IPsec VPN created over wan1 that connects to fortigate at the other plant

we have static routes setup for both of these connections for the same remote subnet, but use priority to pick which one is "turned on"[/ul]

Usually we have the route that goes over the direct connection set to priority 0 so that it is used, and the VPN backup is set to priority 10. But if the direct connection goes down for some reason, we have to login and manually swap the priorities on the routes for traffic to start flowing over the IPsec VPN again. We would like this to be automatic, so that if direct connection on wan2 goes down, traffic starts flowing automatically over the IPsec VPN on wan1 instead to get to the remote facilities subnet.

This thread makes it seem like this has been achieved before, although they don't say how (only complain about how existing sessions work when both are up again, which I don't think would be an issue for us): https://forum.fortinet.com/tm.aspx?m=107052

Any help or thoughts would be appreciated.

Here is relevant bits of our static routes, currently configured in "use the backup IPSEC VPN mode":

Thanks!

noffie · ‎03-31-2016

Maybe we would have more options if we upgraded our firmware?

thesirnewton · ‎11-07-2016

Did you finally achieve the automatic failover? I'm working on such a deployment and i would appreciate a headsup.

ede_pfau · ‎11-07-2016

hi,

this shouldn't be a problem to switch routes between 2 interfaces (one physical, one virtual). You need 2 static routes (default routes, dest = '0.0.0.0/0') with same distances but different priorities. In FortiOS, "priority" means "cost" in routes.

Additionally, you would instruct FortiOS to watch our for a line failure. This is done via "detectserver", "gwdetect" and similar, the exact name depends on the firmware version. The main keyword is "remote failover detection" as you would set up a ping target, a server somewhere on the 'net which the FGT pings to see if it's alive. If the pings fail, the FGT notices that the WAN line is down, and removes the corresponding default route. The second, hidden, default route is then used, via the VPN.

The 'Fortinet Handbook' for your version of FortiOS contains all necessary info on this. 'Advanced routing' or 'ECMP' are topics to look for.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

thesirnewton · ‎11-07-2016

Thanks for the quick reply.

Does it matter what kind of connection the WAN2 is? whether a PTP or MPLS?

Does the automatic failover work the same way?

MikePruett · ‎11-07-2016

Shouldn't matter. Connectivity is connectivity as long as everything else is proper.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

ede_pfau · ‎11-11-2016

(sorry, your post slipped past...)

Well, it depends. In principle, routing will occur just the same as with static addresses but you will have to cope with this kind of automatically inserted route.

For instance, if the WAN port uses PPPoE or DHCP the gateway is determined at the time of the successful connection, and the default route is set in the System > Interface dialog, not statically in the Router > Static routes section.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

JakubP · ‎11-11-2016

Does not matter.

I have Wan1 as primary Wan2 as backup

On both IPsec VPN configured And for each route add with different priority

Automatic failover work

Maxim_Vanichkin · ‎11-12-2016

You have to use "monitor" command.