Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
downlinkvip
New Contributor

Create VPN tunnels with two WAN link.

Hi guys,

 

I haven't implemented this thing before. So please tell me if it is possible to implement like below:

Our Fortigate at HQ has two FTTH WAN lines (WAN1, WAN2). I have configured two default routes with the same distance but different priority (we has some DMZ servers, so we want access to these servers by VIP on both two WAN link).

 

At the branch, we just have one FTTH WAN (WAN1). Currently, we just have IPSEC VPN site-to-site-tunnel from WAN1 of the Branch Firewall to WAN1 of HQ Firewall named it "VPN tunnel 1".

 

Is it possible to create another IPSEC VPN site-to-site tunnel, eg: from WAN1 of the Branch Firewall to WAN2 of HQ Firewall. I attached sample topology for refer. Thanks for reading.

4 Solutions
emnoc
Esteemed Contributor III

What do mean by default route? Are you planning on routing the branch local lan traffic across the two tunnels? Again if  yes, than set /32 static route to the HQ wan1/wan2 end-points for the VPN ( IPSEC / IKE ) and then use a routing protocol ( OSPF or RIP ) and inject a default route to the branch.

 

At the branch you  will advertise a local-LAN network(s) only and and they you control traffic with policies at branch and HQ. You can adjust what ipsec tunnel you would use by either metric/priority or even RIP offset.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
sw2090
Honored Contributor

traffic follows your route - with static routes - it will always use the route with the lowest prio if there is more than one route to the destination subnet or host. The route(s) to the subnet(s) at branch you want to reach from HQ refer to the corresponding ipsec tunnel interface  as destination. The tunnel itself is tied to a specific wan interface. So traffic to the subnet will get ipesc encapsulated and then flow out through the wan the tunnels is tied to.

 

If the route with the lowest prio cannot be used because gateway is not available e.g. the FGT will use the one with the next lower prio. if there is no other route available it will state "no route to host".

 

I do that with our branches this way:

 

I have two ipsec tunnels to the branch - each using a different wan at HQ and Branch

And I have two routes with different prio for every subnet I want to access at Branch.

FGT then will alays use the route with lowest prio and if that is down it will be deleted and the other one is used (needs a few seconds to change). Once the first one comes back up routing will switch back again.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

yes it will as vpn2 is tied to the wan. Packets over vpn2 will leave through the wan the vpn2 is tied to at HQ and will go to the wan vpn2 is tied to at branch (as that is the remote gateway).

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

yes it does. You tied VPN2 to WAN2 so the FGT knows that ipsec packets for or from VPN2 have to go via WAN2.

WAN2 does not need to know WAN1 at branch because VPN2 at HQ knows that its opposite end (i.e. remote gateway in the ipsec tunnel settings) is WAN1 at branch FW.

So VPN2 at HQ will send tunnel packets to VPN2 at branch and they go out via WAN2 at HQ and will reach branch via branch WAN1.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
14 REPLIES 14
emnoc
Esteemed Contributor III

Yes, you can do that and use a routing protocol for example over the tunnels for the local/remote subnets that are carrying the phase2-TS.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
downlinkvip

Hi @emnoc,

 

Thanks for reply. I want to understand more about this, for example, I set up a default route (with lower priority) through WAN1, so all VPN setup packet must go through WAN1 (default route) first or it can use its own default route (with higher priority) to reach the WAN1 (branch Firewall). Please help.

Yurisk
Valued Contributor

You have 2 (mostly) unrelated steps here:

1. You set up 2 IPsec tunnels from the branch to the HQ that should be up.

2. Now, once step 1 is done you will have 2 VPN interfaces in Network tab corresponding to 2 IPSec tunnels , through which interface you route the remote LANs is up to you. If you run dynamic routing protocol then you use priorities of the given routing protocol. If, on the other hand, you use static routes, then add routes to remote LANs via both VPN interfaces, but set different priority on one of the routes to force all IPsec traffic to pass the specific IPsec tunnel. If that prioritized Ipsec tunnel goes down, FG will delete the route to remote LANs through it, and will install the 2nd route via 2nd tunnel.

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
downlinkvip

Hi Yurish,

 

I want to clear about how packet flows in this case. As I said, "I have configured two default routes with the same distance but different priority" (default route WAN1 is preference). So even if I can create the second IPSEC VPN successfully, does the data come on WAN2 HQ - WAN 1 branch VPN really go through WAN2 link (at HQ firewall)?.

 

This is what I mean. For example, an IPSEC packet go from HQ to branch. The GRE destination IP is WAN1 IP of  branch FW, GRE source IP is WAN2 IP of HQ FW. But to reach WAN1 IP of branch FW, we need to go through prefer default route (in this case through WAN1). So traffic really come through WAN1, not WAN2. Please help me clarify it.

 

emnoc
Esteemed Contributor III

What do mean by default route? Are you planning on routing the branch local lan traffic across the two tunnels? Again if  yes, than set /32 static route to the HQ wan1/wan2 end-points for the VPN ( IPSEC / IKE ) and then use a routing protocol ( OSPF or RIP ) and inject a default route to the branch.

 

At the branch you  will advertise a local-LAN network(s) only and and they you control traffic with policies at branch and HQ. You can adjust what ipsec tunnel you would use by either metric/priority or even RIP offset.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
sw2090
Honored Contributor

traffic follows your route - with static routes - it will always use the route with the lowest prio if there is more than one route to the destination subnet or host. The route(s) to the subnet(s) at branch you want to reach from HQ refer to the corresponding ipsec tunnel interface  as destination. The tunnel itself is tied to a specific wan interface. So traffic to the subnet will get ipesc encapsulated and then flow out through the wan the tunnels is tied to.

 

If the route with the lowest prio cannot be used because gateway is not available e.g. the FGT will use the one with the next lower prio. if there is no other route available it will state "no route to host".

 

I do that with our branches this way:

 

I have two ipsec tunnels to the branch - each using a different wan at HQ and Branch

And I have two routes with different prio for every subnet I want to access at Branch.

FGT then will alays use the route with lowest prio and if that is down it will be deleted and the other one is used (needs a few seconds to change). Once the first one comes back up routing will switch back again.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
downlinkvip

Hi @emnoc, @sw2090.

 

The default route here is default route on HQ firewall (please refer to my attached image, in this case it through WAN1). Eg, I have subnet B on the branch. And I config on HQ FW a static route point to the subnet B through VPN2 (WAN2 HQ to WAN1 branch). Does the traffic (from HQ to subnet B at branch) really go out WAN2 port (because the VPN2 tied to WAN2 at HQ)? 

 

 @emnoc,

Please explain more "Again if  yes, than set /32 static route to the HQ wan1/wan2 end-points for the VPN ( IPSEC / IKE )"

 

Please help me to clear. Thanks much.

 

 

sw2090
Honored Contributor

yes it will as vpn2 is tied to the wan. Packets over vpn2 will leave through the wan the vpn2 is tied to at HQ and will go to the wan vpn2 is tied to at branch (as that is the remote gateway).

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
downlinkvip

Hi @sw2090,

So even on HQ FW, we have default route (through WAN1). But if traffic go trough VPN2, it will go out WAN2 port?. But how WAN2 port knows how to reach WAN1 at branch FW, is it just send traffic to other  site of the link (ISP site) ?. Please help. 

Labels
Top Kudoed Authors