Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dwear
New Contributor

Created on ‎04-02-2018 11:54 AM

Full Mesh VPN with redundant ISPs

I have 4 sites, with 2 ISPs on each, and I want to create a full mesh VPN. I've tried to use the VPN manager to create the VPNs, which works awesome as long as I'm only using 1 ISP with each FG. If I go to add in the other ISP connection as another managed gateway, i get an error when installing the policy stating 33- duplicate. I'm guessing that is because the FG is duplicated, or that it is trying to VPN from ISP 1 to ISP 2 within the same FG. Anyone know how to accomplish a full mesh with dual VPNs? 

9461
0 Kudos
9 REPLIES 9
Toshi_Esumi
SuperUser
SuperUser

Created on ‎04-02-2018 12:44 PM

Full mesh itself doesn't require multiple ISPs per site. If you have 4 total sites, each needs 3 vpns (like A->B, A->C, A->D).

Redundancy between two ISP circuits requires a failover mechanism you choose. However, VPN itself doesn't fail-over one interface to another since you need to specify the interface in the IPsec phase1-interface config. So, you would end up setting 3 x 2 vpns over two ISP interfaces exhaustively per location and change routes from the primay VPNs to the secondary VPNs either by a routing protocol or by link-monitor to remove the primary static routes when the primary interface monitor goes down.

3156
0 Kudos
dwear
New Contributor
In response to Toshi_Esumi

Created on ‎04-02-2018 05:34 PM

Thanks. Maybe my question wasn't clear. What you stated is what I already understand how to do via the Fortigates themselves. My question is, how do I accomplish that via Fortimanager and VPN manager? As we open more branches, the configuration will get exponentially more difficult. VPN Manager appears to solve that problem by simply adding the device as a managed gateway and letting it handle the tunnels. It does it easily if each site only had 1 ISP. I can't seem to get it to work with multiple ISPs at each site though, or at least I can't figure out how its supposed to be done. 

3155
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to dwear

Created on ‎04-02-2018 10:27 PM

I don't know anything about VPN manager. So you need to wait somebody else's reply. But I would expect much from it.

 

But as you said, that's why mesh is not an effective topology when the number of sites get larger. By the same token iBGP, which by nature requires mesh topology, has  route-reflector concept to overcome the issues coming with larger scale installations. I recommend you consider selecting a couple or three of hub locations and connect the rest of them to those hub locations over VPNs. Hub locations should be meshed (in case three or more hubs). Since every locations including those hub locations have two ISP circuits, multiple-hub topology is reasonably redundant.

3155
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to dwear

Created on ‎04-02-2018 10:29 PM

I meant "I wouldn't expect ...."

3156
0 Kudos
dwear
New Contributor
In response to Toshi_Esumi

Created on ‎04-03-2018 06:21 AM

Thanks. Full mesh wouldn't make sense to do manually, but it seems that FMG would handle that, thus making it manageable. Maybe you are right and I'm expecting too much. 

 

I looked at doing ADVPN, though I'm not totally sure how to handle the redundant ISP connections to the HUBs. So if we went ADVPN, I would have 2 hubs (2 of the sites are DC and DR). Should I treat each ISP at the DC and DR as its own HUB? 

3156
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to dwear

Created on ‎04-03-2018 08:31 AM

I'm sure you've already checked this, but just for completeness...

http://cookbook.fortinet....redundant-hubs-expert/


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3156
0 Kudos
dwear
New Contributor
In response to ede_pfau

Created on ‎04-12-2018 08:49 AM

Thanks. Yea I have seen that. I'm guessing that I create each ISP as a Hub, meaning I would have 4 hubs (2 fortigates, 2 ISPs each)?

3156
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to dwear

Created on ‎04-15-2018 04:58 AM

At some point this would be getting too complicated, and thus, not robust enough. I think there is no straightforward recipe for this at the moment, sorry.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3156
0 Kudos
neonbit
Valued Contributor
In response to ede_pfau

Created on ‎04-15-2018 06:14 AM

I tried out the same scenario a few weeks ago and ran into the same problem. I think the issue was that the VPN interfaces were named the same for the primary and backup which broke it.

 

I just tested this out in my lab with two FGT's and a FMG and managed to get it working but configured it with ISP1 connecting to ISP1 on each firewall and ISP2 to ISP2 (so ISP1 isnt connecting to ISP2 of the remote firewall).

The way I approached this was to configure two VPN communities, vpn and backup vpn. Each community had the same FGT's but each was referencing a different WAN interface (vpn had WAN1 and backup vpn had WAN2).

 

Once pushed out I then edited the VPN policy to reference both zones.

 

Tested failover and it worked great. Pinged the other side through vpn and was working, brought down WAN1 and the pings then moved to backup vpn.

 

One thing to note is that if you allow the VPN manager to automatically add the routes it creates both routes but with the same distance/priority. If you want to make VPN1 the primary then you should change the priority for VPN2 routes.

3157
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.