Hot!Full Mesh VPN with redundant ISPs

Author
dwear
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/12/14 12:45:18
  • Status: offline
2018/04/02 11:54:20 (permalink)
0

Full Mesh VPN with redundant ISPs

I have 4 sites, with 2 ISPs on each, and I want to create a full mesh VPN. I've tried to use the VPN manager to create the VPNs, which works awesome as long as I'm only using 1 ISP with each FG. If I go to add in the other ISP connection as another managed gateway, i get an error when installing the policy stating 33- duplicate. I'm guessing that is because the FG is duplicated, or that it is trying to VPN from ISP 1 to ISP 2 within the same FG. Anyone know how to accomplish a full mesh with dual VPNs? 
#1

9 Replies Related Threads

    Toshi Esumi
    Platinum Member
    • Total Posts : 734
    • Scores: 36
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Full Mesh VPN with redundant ISPs 2018/04/02 12:44:11 (permalink)
    0
    Full mesh itself doesn't require multiple ISPs per site. If you have 4 total sites, each needs 3 vpns (like A->B, A->C, A->D).
    Redundancy between two ISP circuits requires a failover mechanism you choose. However, VPN itself doesn't fail-over one interface to another since you need to specify the interface in the IPsec phase1-interface config. So, you would end up setting 3 x 2 vpns over two ISP interfaces exhaustively per location and change routes from the primay VPNs to the secondary VPNs either by a routing protocol or by link-monitor to remove the primary static routes when the primary interface monitor goes down.
    #2
    dwear
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/12/14 12:45:18
    • Status: offline
    Re: Full Mesh VPN with redundant ISPs 2018/04/02 17:34:02 (permalink)
    0
    Thanks. Maybe my question wasn't clear. What you stated is what I already understand how to do via the Fortigates themselves. My question is, how do I accomplish that via Fortimanager and VPN manager? As we open more branches, the configuration will get exponentially more difficult. VPN Manager appears to solve that problem by simply adding the device as a managed gateway and letting it handle the tunnels. It does it easily if each site only had 1 ISP. I can't seem to get it to work with multiple ISPs at each site though, or at least I can't figure out how its supposed to be done. 
    #3
    Toshi Esumi
    Platinum Member
    • Total Posts : 734
    • Scores: 36
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Full Mesh VPN with redundant ISPs 2018/04/02 22:27:19 (permalink)
    0
    I don't know anything about VPN manager. So you need to wait somebody else's reply. But I would expect much from it.
     
    But as you said, that's why mesh is not an effective topology when the number of sites get larger. By the same token iBGP, which by nature requires mesh topology, has  route-reflector concept to overcome the issues coming with larger scale installations. I recommend you consider selecting a couple or three of hub locations and connect the rest of them to those hub locations over VPNs. Hub locations should be meshed (in case three or more hubs). Since every locations including those hub locations have two ISP circuits, multiple-hub topology is reasonably redundant.
    #4
    Toshi Esumi
    Platinum Member
    • Total Posts : 734
    • Scores: 36
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Full Mesh VPN with redundant ISPs 2018/04/02 22:29:18 (permalink)
    0
    I meant "I wouldn't expect ...."
    #5
    dwear
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/12/14 12:45:18
    • Status: offline
    Re: Full Mesh VPN with redundant ISPs 2018/04/03 06:21:59 (permalink)
    0
    Thanks. Full mesh wouldn't make sense to do manually, but it seems that FMG would handle that, thus making it manageable. Maybe you are right and I'm expecting too much. 
     
    I looked at doing ADVPN, though I'm not totally sure how to handle the redundant ISP connections to the HUBs. So if we went ADVPN, I would have 2 hubs (2 of the sites are DC and DR). Should I treat each ISP at the DC and DR as its own HUB? 
    #6
    ede_pfau
    Expert Member
    • Total Posts : 5519
    • Scores: 364
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Full Mesh VPN with redundant ISPs 2018/04/03 08:31:36 (permalink)
    0
    I'm sure you've already checked this, but just for completeness...
    http://cookbook.fortinet....redundant-hubs-expert/

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #7
    dwear
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/12/14 12:45:18
    • Status: offline
    Re: Full Mesh VPN with redundant ISPs 2018/04/12 08:49:15 (permalink)
    0
    Thanks. Yea I have seen that. I'm guessing that I create each ISP as a Hub, meaning I would have 4 hubs (2 fortigates, 2 ISPs each)?
    #8
    ede_pfau
    Expert Member
    • Total Posts : 5519
    • Scores: 364
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Full Mesh VPN with redundant ISPs 2018/04/15 04:58:05 (permalink)
    0
    At some point this would be getting too complicated, and thus, not robust enough. I think there is no straightforward recipe for this at the moment, sorry.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #9
    neonbit
    Platinum Member
    • Total Posts : 439
    • Scores: 41
    • Reward points: 0
    • Joined: 2013/07/02 21:39:52
    • Location: Dark side of the moon
    • Status: offline
    Re: Full Mesh VPN with redundant ISPs 2018/04/15 06:14:32 (permalink)
    0
    I tried out the same scenario a few weeks ago and ran into the same problem. I think the issue was that the VPN interfaces were named the same for the primary and backup which broke it.
     
    I just tested this out in my lab with two FGT's and a FMG and managed to get it working but configured it with ISP1 connecting to ISP1 on each firewall and ISP2 to ISP2 (so ISP1 isnt connecting to ISP2 of the remote firewall).

    The way I approached this was to configure two VPN communities, vpn and backup vpn. Each community had the same FGT's but each was referencing a different WAN interface (vpn had WAN1 and backup vpn had WAN2).
     
    Once pushed out I then edited the VPN policy to reference both zones.

     
    Tested failover and it worked great. Pinged the other side through vpn and was working, brought down WAN1 and the pings then moved to backup vpn.
     
    One thing to note is that if you allow the VPN manager to automatically add the routes it creates both routes but with the same distance/priority. If you want to make VPN1 the primary then you should change the priority for VPN2 routes.
    post edited by neonbit - 2018/04/15 06:37:02
    #10
    Jump to:
    © 2018 APG vNext Commercial Version 5.5