VPN connection to DC and DR | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Helpful ReplyHot!VPN connection to DC and DR

Author Post Essentials Only Full Version
ohadfaibish New Member Total Posts : 6 Scores: 0 Reward points: 0 Joined: 2021/01/27 01:59:37 Status: offline 2021/01/27 02:07:59 (permalink) 0 VPN connection to DC and DR Hello, I'm looking for solution that we have a s2s VPN connection between site A to our DC We want to add a DR on OCI ( oracle cloud) and want to connect it also by s2s VPN and to make this connection as backup. If the connection/FW on DC side will go down the VPN will change to the DR and if the connection will go up again in the DC it will go back. Adding a visio What is the best way to make it happened? Attached Image(s) #1 List Solutions Only 11 Replies Related Threads
Furil New Member Total Posts : 2 Scores: 0 Reward points: 0 Joined: 2021/01/15 11:57:18 Status: offline Re: VPN connection to DC and DR 2021/01/27 06:56:29 (permalink) 0 Hello, I guess that phase 2 security network are exactly the same for both primary and secondary site ? If yes did you try to play with routing table based on priority ? (ex:192.168.10.0/24 priority 0 for primary site and 192.168.10.0 priority 10 for secondary side). Best regards, Furil #2
ohadfaibish New Member Total Posts : 6 Scores: 0 Reward points: 0 Joined: 2021/01/27 01:59:37 Status: offline Re: VPN connection to DC and DR 2021/01/28 02:37:47 (permalink) 0 Hello and thank you for replaying, We don't have this configuration yet, we are planning to work on it, but before that I'm want to make sure its possible and will work. Maybe we can configure 2 S2S VPN one for each site DC and DR ant to add them both into a SD-WAN interface and to control the traffic with the weight? Do you think it will work? #3
sw2090 Expert Member Total Posts : 896 Scores: 68 Reward points: 0 Joined: 2017/06/14 01:27:25 Location: Regensburg Status: offline Re: VPN connection to DC and DR 2021/01/28 04:52:03 (permalink) ☄ Helpfulby ohadfaibish 2021/01/28 04:59:38 0 We have it here this way with 21 shop Sites. Each has two S2S IPsec to HQ and redundncy is made by redundant routes with different prio/distance. Primarily traffic behaves like electric current - it always takes the way of the lowest cost per default. So it will take the S2S with lowest routig prio/distance if available. If that is not available it will take the S2S with the next highest routing prio/distance until the other is back available. Works fine here. #4
ohadfaibish New Member Total Posts : 6 Scores: 0 Reward points: 0 Joined: 2021/01/27 01:59:37 Status: offline Re: VPN connection to DC and DR 2021/01/28 05:00:45 (permalink) 0 HI! thank you for answering. Did you do it with SDWAN config? Can you please share with me the configuration? (Sure you can hide all the privet details) #5
sw2090 Expert Member Total Posts : 896 Scores: 68 Reward points: 0 Joined: 2017/06/14 01:27:25 Location: Regensburg Status: offline Re: VPN connection to DC and DR 2021/01/28 05:02:37 (permalink) 0 We use SD-WAN for loadbalancing and redundancy for internet traffic only. The S2S Tunnels are still tied to the physical WAN Ports on the FGTs. #6
ohadfaibish New Member Total Posts : 6 Scores: 0 Reward points: 0 Joined: 2021/01/27 01:59:37 Status: offline Re: VPN connection to DC and DR 2021/01/28 05:38:48 (permalink) 0 Thank you! Any chance you can share the config with me? #7
sw2090 Expert Member Total Posts : 896 Scores: 68 Reward points: 0 Joined: 2017/06/14 01:27:25 Location: Regensburg Status: offline Re: VPN connection to DC and DR 2021/01/28 06:33:46 (permalink) 0 hm bascially that is: Shopsite: - two IPSec S2S to HQ one connected in my case to wan1 and the other to wan2. - route to HQ Subnet via S2S #1 with prio and distance set to 10 - route to HQ Subnet via S2S #2 with prio and distance set to 20 - Policies to allow the traffic I want to flow from/to HQ HQ: - two IPSec S2S to Shopsite one connected in my case to wan1 and the other to wan2 - route to Shopsite Subnet via S2S #1 with prio and distance 10 - route to Shopsite Subnet via S2S #2 with prio and distance 20 - Policies to allow the traffic I want to flow from/to Shopsite S2S are using the opposite Site corresponding WAN external IP as remote gateway. P1/P2 Proposals, DH Group and psk must match. static route via vpn does not need to have any gateway entered. #8
ohadfaibish New Member Total Posts : 6 Scores: 0 Reward points: 0 Joined: 2021/01/27 01:59:37 Status: offline Re: VPN connection to DC and DR 2021/01/28 06:40:30 (permalink) 0 Hi, Correct me if I'm wrong but its look like you have 2 VPN connection with 2 sites as backup. I'm looking for solution for 3 sites, as you can see here in the diag (the Visio is with CP but I'm looking for Forti solution). So I want to work with the primary tunnel to DC and if the Primary connection will go down so the Backup one that goes to the DR will work automatically. Do you think that I can config like you did with 2 different sites? Attached Image(s) #9
sw2090 Expert Member Total Posts : 896 Scores: 68 Reward points: 0 Joined: 2017/06/14 01:27:25 Location: Regensburg Status: offline Re: VPN connection to DC and DR 2021/01/28 06:47:57 (permalink) 0 config vpn ipsec phase1-interface edit "name of connection" set interface "wan1" set ike-version 2 set keylife 28800 set peertype any set proposal aes256-sha512 set negotiate-timeout 15 set dpd on-idle set dhgrp 14 set remote-gw <WAN IP of opposite FGT Interface the S2S is connected to there> set psksecret ENC .... (encrypted key - you can set it cleartext on cli but it will be saved encrypted in config) set dpd-retryinterval 5 next end config vpn ipsec phase2-interface edit "name of phase2" set phase1name "connecton name you set above" set proposal aes256-sha512 set dhgrp 14 set auto-negotiate enable set keylifeseconds 14400 next end Then create a 2nd S2S with different remote gw and interface analog to this. config router static edit 0 set dst destination-subnet destination-subnetmask set priority 20 set device "your S2S #2" next edit 0 set dst destination-subnet destination-subnetmask set priority 10 set device "your S2S #1" next end Order of the routes in here does not count! The prio defines the order they get used in! edit 0 in FortiOS means that FortiOS will give it an autoincremented number and you don't have to care for if that alredy exists and would be overwritten. destination-subnet and destination-subnetmask are the same in both routes. Then do the same on the other Side. Just set the route destination to the subnet of the opposite site. Then both sides need policies to allow the traffic you need to flow. No IPSec will come up without policies on a FGT! You will have to have either redundant policies (one for each S2S) or you will need multiple destination/source interfaces in your policy (which will disable the interface group view in gui). post edited by sw2090 - 2021/01/28 06:51:12 #10
sw2090 Expert Member Total Posts : 896 Scores: 68 Reward points: 0 Joined: 2017/06/14 01:27:25 Location: Regensburg Status: offline Re: VPN connection to DC and DR 2021/01/28 06:49:39 (permalink) 0 why shouldn't that work. The only difference is that only one S2S goes to your side and the other to the cloud. Makes absolutely no difference for routing. #11
ohadfaibish New Member Total Posts : 6 Scores: 0 Reward points: 0 Joined: 2021/01/27 01:59:37 Status: offline Re: VPN connection to DC and DR 2021/01/28 06:51:27 (permalink) 0 Perfect! Thank you very much for the help and the time. Take care and be safe! #12

Jump to:

© 2021 APG vNext Commercial Version 5.5