- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSEC VPN failover using two ISP links
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSEC VPN failover using two ISP links
Hello,
We have multiple IPSEC site to site vpn in our office. Currently, all our vpn's configured using the 1st ISP link (Our fortinet firewall WAN1 ip as a remote gateway for the vpn). Recently we buy another link and connected to our fortinet firewall WAN2 interface. How i can convert or reconfigure all this vpn with failover concept, like if ISP 1 fails the vpn should work with ISP 2. Kindly need your advice to achieve this. Thanks.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd be interested in this too.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your best method is to enable a dynamic routing protocol and assign a /30 or /31 on the vpn links. Treat them like wan links or private line and it will failover with no effort. Just set the metric on what link you want .
hijt: If you have a big enterprise and with multiple subnets being carried you can maybe do a hacked load-balance
e.,g
LINK1 SRC/DST 10.10.10.0/24 <> 10.20.10.0/24 metric 100
LINK2 SRC/DST 10.10.10.0/24 <> 10.20.10.0/24 metric 1000
LINK1 SRC/DST 10.10.11.0/24 <> 10.20.11.0/24 metric 1000
LINK2 SRC/DST 10.10.11.0/24 <> 10.20.11.0/24 metric 100
Or something to that nature of SDWAN is an option but I seen many issues with vpn-interfaces as SDWAN members. I would review this video , upgrade to the latest version and give it a spin
https://video.fortinet.com/latest/sd-wan-dual-vpn-tunnel-to-data-center
Make sure to use a dynamic routing with the vpn-interface if your do SDWAN
YMMV, provide feedback if your SDWAN with vpn-members does not give you any issues.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks Ken!
well I already do failover this way with all my point-to-point tunnels. But will surely be helpful to the thread starter.
I'd still be interested to know if that works for dial up tunnels too.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For site2site dialup yes it would work, we have tunnels (2x ) to SRX that runs private BGP where the SRX are initiator . It works 110% if the time correctly once BGP-KA are lost, and DPD tears down the tunnel.
In the OP, he probably wants to try SDWAN and have two vpn-phase1-interfaces with set remote-gateway <ISP1> in one and <ISP2> in the 2nd.
No matter what you do, I would enable a dynamic BGP or OSPF or heck RIPv2 works fine also just a little slower to converge.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for the information. I will test and update you by sunday.
One more, for testing this, i need to create one more vpn tunnel in the other end fortinet with my device wan2 ip as a vpn gateway?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
To test the VPN failover, I created a tunnel between our main site and backup site. I followed the below steps
1.Created two VPN tunnels
2.Created a zone and added the two tunnels
3.Created a static route for the destination subnet with different distances 10 and 20
4. Since we have overlapping subnet in both site we created IP pool and Virtual IP. But the problem is, I am not able to map the virtual IP to the created zone, hence I select interface “any”
5.Created two firewall policies
6. I repeat the same procedure in the backup site
When I disable the wan1 interface of the main site, then the secondary tunnel coming up automatically. But the issue is we not able to reach both end systems subnets. Since we are not able to map the virtual IP to the zone we are facing this issue.
Is there any other option to overcome this? Thanks
Related Posts
- Fortinet Firewall shows 100Mbps (100%) bandwidth... 310 Views
- FGSP Dynamic Tunnel VPN in SD-WAN 214 Views
- choose between multiple ISP 166 Views
- Firewall Policy 153 Views
- 404 Page Not Found error when... 273 Views
Labels
-
FortiGate
6,526 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.