Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- mpls connection with ipsec vpn as backup
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mpls connection with ipsec vpn as backup
hi folks have similar issue same as this thread https://forum.fortinet.com/tm.aspx?m=135847
The only difference is that we are using FOS 5.4 and 5.6. we're playing with static routes (distance and metric) seems failover is not working as expected. If you ask regarding the design and static routes similar with the link stated above.
Any help is much appreciated.
Fortigate Newbie
Fortigate Newbie
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So your main connection goes directly into MPLS over L2 circuit then your backup is via IPsec VPN into the same MPLS cloud over another ISP's internet circuit (we call it a "L3 circuit")?
If so, you can handle outgoing routing with some static route arrangement at this location with no problem. But the issue comes up on the opposite direction: coming from other MPLS connected locations into this location. Depending on your MPLS provider's setup or their product offers, they might not fail over to the backup IPSec path when the main circuit is down. You need to talk to the provider how to set up the failover. Likely they need to change something and use a routing protocol with this location to be able to move the incoming routes around. We are actually one of MPLS network providers and we offer BGP setup to our customers who needs a failover.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi. thank you for your time. Please see revised network design if you shed some insights for this setup.
Existing and working setup, remote site having no fortigate firewall all computers are routed to router device (192.168.2.1). All workstations from Remote site able to access local resources to Head Quarters side via IPVPN.
End user wants to achieve failover/redundancy in the event IPVPN goes down. So based on the attached diagram, WANx interface is connected to Internet and Fortigate LAN interface is connected to L2 switch with an ip address of 192.168.2.254. Now all workstations in remote site reconfigured to route via local interface of Fortigate. Outcome of the revised design, workstations from remote site still able to ping vlans from HQ via IPVPN, Second, workstations from remote site still able to ping vlans from HQ via IPSEC VPN, the catch here we need to changed the Distance manually in the Static Route in order the traffic to sway to IPSEC Tunnel the moment we altered the route/gateway to IPVPN link (e.g from 192.168.2.2 to 192.168.2.100) just to assume that link is down or not reachable)
Does it matter because during our testing the workstation is connected to L2 switch not on fortigate switch interfaces, so even we altered the gateway, fortigate able to detect that the ipvpn is still connected physically?
Again, a million thanks!
Fortigate Newbie
Fortigate Newbie
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me ask this. Is the remote router and the core switch (L2/L3 switch/router?) are GW to each other over the IPVPN? My guess is no and both sides have different GW IPs lives inside of the IPVPN cloud. Then this is a flaw No.1: you're relying on L1/L2 down to detect the connection down on both sides. There are situations the link is up but connectivity is down. Or one side of link down but the other side of link is up.
And with your design with a set of FGs, FGs can't detect connection down. This means you need to rely on the routing change capability on the router and the core switch. Adding FG-FG vpn is just adding the secondary connection between the router and the core switch. You can't utilize FG's capability.
A simple solution is to set up a routing protocol like ospf, bgp, etc. between the router and the core switch if they're capable. Then the routing protocol detect neighboring down and can failover at the same time. If you have to use static routing, you need to have a way to detect the connection down on both side and remove the static routes, like Cisco's IP SLA&track.
Another option would be letting those FGs to terminate both IPVPN and IPSec on both side and let FGs to detect IPVPN connection down, with like link-monitor. It works like just Cisco's IP SLA&track, it detests the connection down (with pinging) and remove static routes toward the link.
Again, the key design concept here is what device can detect the down and make the routing decision, then the routing change need to happen on both end at the same time.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
toshiesumi wrote:Yes, IPSEC VPN was terminated on both FG's. T'was configured that remote site will Dialup UP to HQ to established ipsec tunnel and to accessed HQ local resources. Please correct me if I'm wrong based on your statement. Meaning to say given that WAN(1) is facing Internet ISP, I need to assign 192.168.2.x on WAN(2) interface and introduce new network address on LAN? With this, I have the flexibility to monitor WAN link failure. Your thoughts please. thank you.
Another option would be letting those FGs to terminate both IPVPN and IPSec on both side and let FGs to detect IPVPN connection down, with like link-monitor. It works like just Cisco's IP SLA&track, it detests the connection down (with pinging) and remove static routes toward the link.
Fortigate Newbie
Fortigate Newbie
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to go that design, the FG#1 should terminate the ISP with wan1(or2) and terminates IPVPN with wan2(or1), then LAN(internal) has 192.168.2.1/24, which will eliminate the router. Then you want to set up link-monitor toward the other end to detect connection down. I think there were multiple discussions in the forum as well as FTNT KB, documentations about link-monitor. Then again, you need to do the same on HQ side.
You should test your design well in a maintenance window(s) before deploying so that you and your customer can be sure the design and config work as you/they expect.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or keep .2.254 on FG#1 if you don't want to change the default route for all devices.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,742 -
FortiClient
1,775 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
476 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
320 -
6.2
251 -
SSL-VPN
248 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
206 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
105 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
80 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1733 | |
| 1106 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.