Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
Honored Contributor

IPSec Dialup VPN, redundancy and non-static ip Odysee

This is what I have:

 

Fortigate on Site with static WAN IP

Fortigate on other Side whout static WAN IP

 

What I need:

redundant IPSec Tunnel between those two FGT

 

What I tried:

 

1) S2S with ddns on one site. Does not work because S2S by default is negotiated by both sides but since other side is not allways online and has no static ip this would create dead ends on one the side with static ip. Disabling p1 autonegotiation on that side prevents that but unfortunately fortinet failed here because if you disable p1 autonegotation then also the ddns remote gw is no longer updated. This means the tunnel would work until the next ip change on the dynamic side and then stop working. No Workaround for that.  So cannot use S2S

 

2) Dialups with SD-WAN VPN Zone. Does not have the problems mentioned above because a dial up on the site that is dialled in does not have a remote gw set. Unfortunately this also does not work because Fortinet failed with the SDWAN Implementation of dial up vpn which means SDWAN cannot correctly determine if a dialup is online or offline and due to that fails to change the member when one IPSec goes down and the other is up. There is no workaround for that. So cannot use it.

 

3) Dialups without SD-WAN VPN Zone. Needs two Dialups in the policy and redundant static routing. That would be fine but unfortunately Fortinet failed the same way as in 2) with their routing daemon in FortiOS. It also cannot detect the correct link status of dialup vpns and due to that fails to bring up the correct route and take down the other. At least here is a workaround: it will bring up the other route when you deactivate the existing one.

 

This is rather annoying bacause that ways it is redundant but always requires manual intervention on one side. 

I feel rather frustrated about such bugs in hardware/software sold for such prices :(

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
1 REPLY 1
sw2090
Honored Contributor

Thinking about it I think the root of all of this is the way FortiOS handles VPN connections:

 

S2S: one unique vpn interface on each side of the tunnel. So also Link status of that interface is unique and determainable.

 

Dialup: since it supports concurrent connections (without would be rather useless too) every dial up connection has to be enumerated as a speratate virtual interface. Since this is dynamic it cann of course not be used in the config of the FGT. So you have to point a static route or a sdwan member to the "base interface" of your dialup. So routing and sdwan can only look at the link status of that interface. Due to this I suppose that the Link status of this "base interface" of a dialup ipsec is always up and never changed.And that then would explain why sdwan and routing cannot determine which dialup tunnel interface is up and due to this do not change member or route when one goes down or up.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors