Fortinet black logo

Cookbook

Manual redundant VPN configuration

Copy Link
Copy Doc ID 664e9f16-22ad-11eb-96b9-00505692583a:432685
Download PDF

Manual redundant VPN configuration

A FortiGate with two interfaces connected to the internet can be configured to support redundant VPNs to the same remote peer. Four distinct paths are possible for VPN traffic from end to end. If the primary connection fails, the FortiGate can establish a VPN using the other connection.

Topology

The redundant configuration in this example uses route-based VPNs. The FortiGates must operate in NAT mode and use auto-keying.

This example assumes the redundant VPNs are essentially equal in cost and capability. When the original VPN returns to service, traffic continues to use the replacement VPN until the replacement VPN fails. If the redundant VPN uses more expensive facilities, only use it as a backup while the main VPN is down.

A redundant configuration for each VPN peer includes:

  • One phase 1 configuration for each path between the two peers with dead peer detection enabled
  • One phase 2 definition for each phase 1 configuration
  • One static route for each IPsec interface with different distance values to prioritize the routes
  • Two firewall policies per IPsec interface, one for each direction of traffic
To configure the phase 1 and phase 2 VPN settings:
  1. Go to VPN > IPsec Wizard and select the Custom template.
  2. Enter the tunnel name and click Next.
  3. Enter the following phase 1 settings for path 1:

    Remote Gateway

    Static IP Address

    IP Address

    Enter the IP address of the primary interface of the remote peer.

    Interface

    Select the primary public interface of this peer.

    Dead Peer Detection

    On-Demand

  4. Configure the remaining phase 1 and phase 2 settings as needed.
  5. Click OK.
  6. Repeat these steps for the remaining paths.
    1. Path 2:

      Remote Gateway

      Static IP Address

      IP Address

      Enter the IP address of the secondary interface of the remote peer.

      Interface

      Select the primary public interface of this peer.

      Dead Peer Detection

      On-Demand

    2. Path 3:

      Remote Gateway

      Static IP Address

      IP Address

      Enter the IP address of the primary interface of the remote peer.

      Interface

      Select the secondary public interface of this peer.

      Dead Peer Detection

      On-Demand

    3. Path 4:

      Remote Gateway

      Static IP Address

      IP Address

      Enter the IP address of the secondary interface of the remote peer.

      Interface

      Select the secondary public interface of this peer.

      Dead Peer Detection

      On-Demand

To configure the static routes:
  1. Go to Network > Static Routes and click Create New.
  2. In the Destination field, enter the subnet of the private network.
  3. For Interface, select one of the IPsec interfaces on the local peer.
  4. Enter a value for Administrative Distance.
  5. Click OK.
  6. Repeat these steps for the three remaining paths, and enter different values for Administrative Distance to prioritize the paths.
To configure the firewall policies:
  1. Create the policies for the local primary interface:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. Enter the following:

      Name

      Enter a name for the policy.

      Incoming Interface

      Select the local interface to the internal (private) network.

      Outgoing Interface

      Select one of the virtual IPsec interfaces.

      Source

      All

      Destination

      All

      Schedule

      Always

      Service

      All

      Action

      ACCEPT

    3. Click OK.
    4. Click Create New and configure the policy for the other direction of traffic:

      Name

      Enter a name for the policy.

      Incoming Interface

      Select one of the virtual IPsec interfaces.

      Outgoing Interface

      Select the local interface to the internal (private) network.

      Source

      All

      Destination

      All

      Schedule

      Always

      Service

      All

      Action

      ACCEPT

    5. In the policy list, drag the VPN policies above any other policies with similar source and destination addresses.
  2. Repeat these steps to create the policies for the three remaining paths.

Creating a backup IPsec interface

A route-based VPN can be configured to act as a backup IPsec interface when the main VPN is out of service. This can only be configured in the CLI.

The backup feature works on interfaces with static addresses that have dead peer detection enabled. The monitor option creates a backup VPN for the specified phase 1 configuration.

To create a backup IPsec interface:
config vpn ipsec phase1-interface
    edit main_vpn
        set dpd on-demand
        set interface port1
        set nattraversal enable
        set psksecret ********
        set remote-gw 192.168.10.8
        set type static
    next
    edit backup_vpn
        set dpd on-demand
        set interface port2
        set monitor main_vpn
        set nattraversal enable
        set psksecret ********
        set remote-gw 192.168.10.8
        set type static
    next
end

Manual redundant VPN configuration

A FortiGate with two interfaces connected to the internet can be configured to support redundant VPNs to the same remote peer. Four distinct paths are possible for VPN traffic from end to end. If the primary connection fails, the FortiGate can establish a VPN using the other connection.

Topology

The redundant configuration in this example uses route-based VPNs. The FortiGates must operate in NAT mode and use auto-keying.

This example assumes the redundant VPNs are essentially equal in cost and capability. When the original VPN returns to service, traffic continues to use the replacement VPN until the replacement VPN fails. If the redundant VPN uses more expensive facilities, only use it as a backup while the main VPN is down.

A redundant configuration for each VPN peer includes:

  • One phase 1 configuration for each path between the two peers with dead peer detection enabled
  • One phase 2 definition for each phase 1 configuration
  • One static route for each IPsec interface with different distance values to prioritize the routes
  • Two firewall policies per IPsec interface, one for each direction of traffic
To configure the phase 1 and phase 2 VPN settings:
  1. Go to VPN > IPsec Wizard and select the Custom template.
  2. Enter the tunnel name and click Next.
  3. Enter the following phase 1 settings for path 1:

    Remote Gateway

    Static IP Address

    IP Address

    Enter the IP address of the primary interface of the remote peer.

    Interface

    Select the primary public interface of this peer.

    Dead Peer Detection

    On-Demand

  4. Configure the remaining phase 1 and phase 2 settings as needed.
  5. Click OK.
  6. Repeat these steps for the remaining paths.
    1. Path 2:

      Remote Gateway

      Static IP Address

      IP Address

      Enter the IP address of the secondary interface of the remote peer.

      Interface

      Select the primary public interface of this peer.

      Dead Peer Detection

      On-Demand

    2. Path 3:

      Remote Gateway

      Static IP Address

      IP Address

      Enter the IP address of the primary interface of the remote peer.

      Interface

      Select the secondary public interface of this peer.

      Dead Peer Detection

      On-Demand

    3. Path 4:

      Remote Gateway

      Static IP Address

      IP Address

      Enter the IP address of the secondary interface of the remote peer.

      Interface

      Select the secondary public interface of this peer.

      Dead Peer Detection

      On-Demand

To configure the static routes:
  1. Go to Network > Static Routes and click Create New.
  2. In the Destination field, enter the subnet of the private network.
  3. For Interface, select one of the IPsec interfaces on the local peer.
  4. Enter a value for Administrative Distance.
  5. Click OK.
  6. Repeat these steps for the three remaining paths, and enter different values for Administrative Distance to prioritize the paths.
To configure the firewall policies:
  1. Create the policies for the local primary interface:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. Enter the following:

      Name

      Enter a name for the policy.

      Incoming Interface

      Select the local interface to the internal (private) network.

      Outgoing Interface

      Select one of the virtual IPsec interfaces.

      Source

      All

      Destination

      All

      Schedule

      Always

      Service

      All

      Action

      ACCEPT

    3. Click OK.
    4. Click Create New and configure the policy for the other direction of traffic:

      Name

      Enter a name for the policy.

      Incoming Interface

      Select one of the virtual IPsec interfaces.

      Outgoing Interface

      Select the local interface to the internal (private) network.

      Source

      All

      Destination

      All

      Schedule

      Always

      Service

      All

      Action

      ACCEPT

    5. In the policy list, drag the VPN policies above any other policies with similar source and destination addresses.
  2. Repeat these steps to create the policies for the three remaining paths.

Creating a backup IPsec interface

A route-based VPN can be configured to act as a backup IPsec interface when the main VPN is out of service. This can only be configured in the CLI.

The backup feature works on interfaces with static addresses that have dead peer detection enabled. The monitor option creates a backup VPN for the specified phase 1 configuration.

To create a backup IPsec interface:
config vpn ipsec phase1-interface
    edit main_vpn
        set dpd on-demand
        set interface port1
        set nattraversal enable
        set psksecret ********
        set remote-gw 192.168.10.8
        set type static
    next
    edit backup_vpn
        set dpd on-demand
        set interface port2
        set monitor main_vpn
        set nattraversal enable
        set psksecret ********
        set remote-gw 192.168.10.8
        set type static
    next
end