Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
enrico_l
New Contributor

Created on ‎12-07-2023 07:50 AM

Configuration Help IPSEC on secondary WAN interface

Hi,

I need some help for configuring an IPSec VPN tunnel on a Fortigate that has WAN1 and WAN2, configured as secondary with a bigger distance value.
We need to use WAN2 to configure a site-to-site ipsec, but I'm struggling with let it work; before adding the second connection on WAN2, it was configured on WAN1 without problem.

 

Any tips for me for the configuration?

Thanks!

Labels:
1906
0 Kudos
7 REPLIES 7
hbac
Staff
Staff

Created on ‎12-07-2023 08:09 AM

Hi @enrico_l,

 

I believe you created a new tunnel for WAN2 but it is not coming up? A bigger distance value is controlled by the static route. Please refer to https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/432685/manual-redundant-vpn-...

 

Regards, 

1890
enrico_l
New Contributor
In response to hbac

Created on ‎12-07-2023 08:21 AM

No, we have to different internet connections, and we want to use primary for users and normal traffic, the secondary to another company site to share local resources

1883
0 Kudos
hbac
Staff
Staff
In response to enrico_l

Created on ‎12-07-2023 08:24 AM

@enrico_l,

 

Did you create a tunnel for WAN2 for sharing resources? 

 

You need to make sure both WAN interfaces appears in the routing table. You can run this command to check "get router info routing-table all". 

 

Regards, 

1878
0 Kudos
enrico_l
New Contributor
In response to hbac

Created on ‎12-07-2023 08:31 AM

 

fortigateroutingall.jpg

I did create the tunnel for Wan2 to the remote gw ( the one in yellow xxx.xxx.. )

1874
0 Kudos
hbac
Staff
Staff
In response to enrico_l

Created on ‎12-08-2023 07:09 AM

@enrico_l,

 

You don't have a default route via wan2 which is why the tunnel is not working. The IPsec tunnel configured on wan2 won't be able to negotiated if there is no default route via wan2. 

 

You need to have a default route for wan2 with the same administrative distance as wan1. You can give it a lower priority if you want it to be secondary. The administrative distance of your wan1 is 5. 

 

Regards, 

1794
0 Kudos
nweckel
Staff
Staff
In response to enrico_l

Created on ‎12-07-2023 08:29 AM

Where is the problem? The new IPsec configuration? Phase1 is not coming up? The traffic is not correctly routed? Allowing traffic from companyA to companyB (so traffic from Wan1 IPsec to Wan2 IPsec)?

1875
0 Kudos
enrico_l
New Contributor
In response to nweckel

Created on ‎12-07-2023 08:44 AM

phase1 not coming up

1865
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.