Re: Multiple ISP + BGP + VPN question
Thanks for your answers. The approach in that linked article was one I tried a couple days ago without success, but, since I wrote my request for help, I got what I needed. Yesterday I had called support and we couldn't figure it out but the forti engineer I got took it as a project and set it up in the lab. He came up with a working solution.
Let me explain where things went wrong. When I did it just per the article, I moved my VPN that terminated on the ISP's assigned IP address, to the secondary on the VLAN interface I created. I was able to bring up a tunnel, and pass traffic into the network. The replies also tried to send back, but it failed as the packets went into the tunnel and I wasn't able to get any packets going back across the tunnel. It said there was no route to the other end, which is bogus, because it had the tunnel built and it should have known where to go. So what we did as the fix was this:
We enabled overlapping subnets. That way I could have the /24 on the VLAN interface, but create a loopback with a /32 mask on x.x.x.2 Then I could terminate the VPN on that IP. Once that was done, the traffic routed fine and everything worked. Now I just have to verify that I can still use my /24 block for NAT of internal hosts for internet access as well. If so, it should work out just fine.
Thanks again for your tips. After 18 years of banging away at Cisco equipment of all types, the COVID situation forced me into a job change and I've found myself having to pick up something totally new. Definitely a little gear grinding as I try to shift into higher gears.