Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
oneil1987
New Contributor

primary and seconary WAN connection for IPSec tunnel

Hi guys,

I am new to the field of advanced routing. In my company we have the following network construct to a branch office:

  • A dark fibre line connects 2 fortigate firewalls
  • An LTE line is to be used as a backup line
  • Both fortis are connected to each other via both lines using IPSec

At the moment the internet traffic goes over the LTE line, but in the future it should work as a backup internet line, but currently the LTE line is the internet access line for all clients in the branch office.
If we put a new default route 0.0.0.0/0 on the WAN interface with the dark fibre, both routes go down.

How do the two Fortigates have to be configured so that everything runs via the dark fibre and the LTE line is only used if the dark fibre fails?

Thank you in advance for your answers.

 

forti.jpg

3 REPLIES 3
akumar02
Staff
Staff

Hello @oneil1987,
KIndly use this article for the redundant internet. 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Redundant-Internet-connection-without-load...

In this article, Port 1 is considered dark fiber and Port 2 is considered LTE.

Also, Make sure you configure The Policies via Dark Fiber as well and test Internet connectivity from Dark Fiber IP address as well:

exec ping-options x.x.x.x <---------FortiGate Dark Fiber Interface IP address 
exec ping 8.8.8.8

If Ping works then the Internet connectivity is fine. 

Also, you can double-check the arp table for the Dark Fiber to have the correct Gateway IP address:

get sys arp | grep <dark fiber interface name>


Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up
oneil1987

Hi akumar,

thanks for the link. I'll have a look at it this week. I don't know how it will work out this week to make the changes, but I will definitely give feedback as soon as I have tackled the whole thing and hopefully been able to implement it.

Thank you , oneil1987

akumar02

Thanks oneil1987, 
Please keep us posted. 

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors