Manual redundant VPN configuration

A FortiGate with two interfaces connected to the internet can be configured to support redundant VPNs to the same remote peer. Four distinct paths are possible for VPN traffic from end to end. If the primary connection fails, the FortiGate can establish a VPN using the other connection.

Topology

The redundant configuration in this example uses route-based VPNs. The FortiGates must operate in NAT mode and use auto-keying.

This example assumes the redundant VPNs are essentially equal in cost and capability. When the original VPN returns to service, traffic continues to use the replacement VPN until the replacement VPN fails. If the redundant VPN uses more expensive facilities, only use it as a backup while the main VPN is down.

A redundant configuration for each VPN peer includes:

  • One phase 1 configuration for each path between the two peers with dead peer detection enabled
  • One phase 2 definition for each phase 1 configuration
  • One static route for each IPsec interface with different distance values to prioritize the routes
  • Two firewall policies per IPsec interface, one for each direction of traffic
To configure the phase 1 and phase 2 VPN settings:
  1. Go to VPN > IPsec Wizard and select the Custom template.
  2. Enter the tunnel name and click Next.
  3. Enter the following phase 1 settings for path 1:

    Remote Gateway

    Static IP Address

    IP Address

    Enter the IP address of the primary interface of the remote peer.

    Interface

    Select the primary public interface of this peer.

    Dead Peer Detection

    On-Demand

  4. Configure the remaining phase 1 and phase 2 settings as needed.
  5. Click OK.
  6. Repeat these steps for the remaining paths.
    1. Path 2:

      Remote Gateway

      Static IP Address

      IP Address

      Enter the IP address of the secondary interface of the remote peer.