OSPF with IPsec VPN for network redundancy

This is a sample configuration of using OSPF with IPsec VPN to set up network redundancy. Route selection is based on OSPF cost calculation. You can configure ECMP or primary/secondary routes by adjusting OSPF path cost.

Because the GUI can only complete part of the configuration, we recommend using the CLI.

To configure OSPF with IPsec VPN to achieve network redundancy using the CLI:
  1. Configure the WAN interface and static route.

    Each FortiGate has two WAN interfaces connected to different ISPs. The ISP1 link is for the primary FortiGate and the IPS2 link is for the secondary FortiGate.

    1. Configure HQ1.

      config system interface

      edit "port1"

      set alias to_ISP1

      set ip 172.16.200.1 255.255.255.0

      next

      edit "port2"

      set alias to_ISP2

      set ip 172.17.200.1 255.255.255.0

      next

      end

      config router static

      edit 1

      set gateway 172.16.200.3

      set device "port1"

      next

      edit 2

      set gateway 172.17.200.3

      set device "port2"

      set priority 100

      next

      end

    2. Configure HQ2.

      config system interface

      edit "port25"

      set alias to_ISP1

      set ip 172.16.202.1 255.255.255.0

      next

      edit "port26"

      set alias to_ISP2

      set ip 172.17.202.1 255.255.255.0

      next

      end

      config router static

      edit 1

      set gateway 172.16.202.2

      set device "port25"

      next

      edit 2

      set gateway 172.17.202.2

      set device "port26"

      set priority 100

      next

      end

  2. Configure the internal (protected subnet) interface.
    1. Configure HQ1.

      config system interface

      edit "dmz"

      set ip 10.1.100.1 255.255.255.0

      next

      end

    2. Configure HQ2.

      config system interface

      edit "port9"

      set ip 172.16.101.1 255.255.255.0

      next

      end

  3. Configure IPsec phase1-interface and phase-2 interface. On each FortiGate, configure two IPsec tunnels: a primary and a secondary.
    1. Configure HQ1.

      config vpn ipsec phase1-interface

      edit "pri_HQ2"

      set interface "port1"

      set peertype any

      set net-device enable

      set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

      set remote-gw 172.16.202.1

      set psksecret sample1

      next

      edit "sec_HQ2"

      set interface "port2"

      set peertype any

      set net-device enable

      set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

      set remote-gw 172.17.202.1

      set psksecret sample2

      next

      end

      config vpn ipsec phase2-interface

      edit "pri_HQ2"

      set phase1name "pri_HQ2"

      set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

      set auto-negotiate enable

      next

      edit "sec_HQ2"

      set phase1name "sec_HQ2"

      set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

      set auto-negotiate enable

      next

      end