Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.1 Administration Guide
    7.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Manual redundant VPN configuration

    Manual redundant VPN configuration

    A FortiGate with two interfaces connected to the internet can be configured to support redundant VPNs to the same remote peer. Four distinct paths are possible for VPN traffic from end to end. If the primary connection fails, the FortiGate can establish a VPN using the other connection.

    Topology

    The redundant configuration in this example uses route-based VPNs. The FortiGates must operate in NAT mode and use auto-keying.

    This example assumes the redundant VPNs are essentially equal in cost and capability. When the original VPN returns to service, traffic continues to use the replacement VPN until the replacement VPN fails. If the redundant VPN uses more expensive facilities, only use it as a backup while the main VPN is down.

    A redundant configuration for each VPN peer includes:

    • One phase 1 configuration for each path between the two peers with dead peer detection enabled
    • One phase 2 definition for each phase 1 configuration
    • One static route for each IPsec interface with different distance values to prioritize the routes
    • Two firewall policies per IPsec interface, one for each direction of traffic
    To configure the phase 1 and phase 2 VPN settings:
    1. Go to VPN > IPsec Wizard and select the Custom template.
    2. Enter the tunnel name and click Next.
    3. Enter the following phase 1 settings for path 1:

      Remote Gateway

      Static IP Address

      IP Address

      Enter the IP address of the primary interface of the remote peer.

      Interface

      Select the primary public interface of this peer.

      Dead Peer Detection

      On-Demand

    4. Configure the remaining phase 1 and phase 2 settings as needed.
    5. Click OK.
    6. Repeat these steps for the remaining paths.
      1. Path 2:

        Remote Gateway

        Static IP Address

        IP Address

        Enter the IP address of the secondary interface of the remote peer.

        Interface

        Select the primary public interface of this peer.

        Dead Peer Detection

        On-Demand

      2. Path 3:

        Remote Gateway

        Static IP Address

        IP Address

        Enter the IP address of the primary interface of the remote peer.

        Interface

        Select the secondary public interface of this peer.

        Dead Peer Detection

        On-Demand

      3. Path 4:

        Remote Gateway

        Static IP Address

        IP Address

        Enter the IP address of the secondary interface of the remote peer.

        Interface

        Select the secondary public interface of this peer.

        Dead Peer Detection

        On-Demand

    To configure the static routes:
    1. Go to Network > Static Routes and click Create New.
    2. In the Destination field, enter the subnet of the private network.
    3. For Interface, select one of the IPsec interfaces on the local peer.
    4. Enter a value for Administrative Distance.
    5. Click OK.
    6. Repeat these steps for the three remaining paths, and enter different values for Administrative Distance to prioritize the paths.
    To configure the firewall policies:
    1. Create the policies for the local primary interface:
      1. Go to Policy & Objects > Firewall Policy and click Create New.
      2. Enter the following:

        Name

        Enter a name for the policy.

        Incoming Interface

        Select the local interface to the internal (private) network.

        Outgoing Interface

        Select one of the virtual IPsec interfaces.

        Source

        All

        Destination

        All

        Schedule

        Always

        Service

        All

        Action

        ACCEPT

      3. Click OK.
      4. Click Create New and configure the policy for the other direction of traffic:

        Name

        Enter a name for the policy.

        Incoming Interface

        Select one of the virtual IPsec interfaces.

        Outgoing Interface

        Select the local interface to the internal (private) network.

        Source

        All

        Destination

        All

        Schedule

        Always

        Service

        All

        Action

        ACCEPT

      5. In the policy list, drag the VPN policies above any other policies with similar source and destination addresses.
    2. Repeat these steps to create the policies for the three remaining paths.

    Creating a backup IPsec interface

    A route-based VPN can be configured to act as a backup IPsec interface when the main VPN is out of service. This can only be configured in the CLI.

    The backup feature works on interfaces with static addresses that have dead peer detection enabled. The monitor option creates a backup VPN for the specified phase 1 configuration.

    To create a backup IPsec interface:
    config vpn ipsec phase1-interface
    edit main_vpn
        set dpd on-demand
        set interface port1
        set nattraversal enable
        set psksecret ********
        set remote-gw 192.168.10.8
        set type static
    next
    edit backup_vpn
        set dpd on-demand
        set interface port2
        set monitor main_vpn
        set nattraversal enable
        set psksecret ********
        set remote-gw 192.168.10.8
        set type static
    next
end
    Previous
    Next

    Manual redundant VPN configuration

    Manual redundant VPN configuration

    A FortiGate with two interfaces connected to the internet can be configured to support redundant VPNs to the same remote peer. Four distinct paths are possible for VPN traffic from end to end. If the primary connection fails, the FortiGate can establish a VPN using the other connection.

    Topology

    The redundant configuration in this example uses route-based VPNs. The FortiGates must operate in NAT mode and use auto-keying.

    This example assumes the redundant VPNs are essentially equal in cost and capability. When the original VPN returns to service, traffic continues to use the replacement VPN until the replacement VPN fails. If the redundant VPN uses more expensive facilities, only use it as a backup while the main VPN is down.

    A redundant configuration for each VPN peer includes:

    • One phase 1 configuration for each path between the two peers with dead peer detection enabled
    • One phase 2 definition for each phase 1 configuration
    • One static route for each IPsec interface with different distance values to prioritize the routes
    • Two firewall policies per IPsec interface, one for each direction of traffic
    To configure the phase 1 and phase 2 VPN settings:
    1. Go to VPN > IPsec Wizard and select the Custom template.
    2. Enter the tunnel name and click Next.
    3. Enter the following phase 1 settings for path 1:

      Remote Gateway

      Static IP Address

      IP Address

      Enter the IP address of the primary interface of the remote peer.

      Interface

      Select the primary public interface of this peer.

      Dead Peer Detection

      On-Demand

    4. Configure the remaining phase 1 and phase 2 settings as needed.
    5. Click OK.
    6. Repeat these steps for the remaining paths.
      1. Path 2:

        Remote Gateway

        Static IP Address

        IP Address

        Enter the IP address of the secondary interface of the remote peer.

        Interface

        Select the primary public interface of this peer.

        Dead Peer Detection

        On-Demand

      2. Path 3:

        Remote Gateway

        Static IP Address

        IP Address

        Enter the IP address of the primary interface of the remote peer.

        Interface

        Select the secondary public interface of this peer.

        Dead Peer Detection

        On-Demand

      3. Path 4:

        Remote Gateway

        Static IP Address

        IP Address

        Enter the IP address of the secondary interface of the remote peer.

        Interface

        Select the secondary public interface of this peer.

        Dead Peer Detection

        On-Demand

    To configure the static routes:
    1. Go to Network > Static Routes and click Create New.
    2. In the Destination field, enter the subnet of the private network.
    3. For Interface, select one of the IPsec interfaces on the local peer.
    4. Enter a value for Administrative Distance.
    5. Click OK.
    6. Repeat these steps for the three remaining paths, and enter different values for Administrative Distance to prioritize the paths.
    To configure the firewall policies:
    1. Create the policies for the local primary interface:
      1. Go to Policy & Objects > Firewall Policy and click Create New.
      2. Enter the following:

        Name

        Enter a name for the policy.

        Incoming Interface

        Select the local interface to the internal (private) network.

        Outgoing Interface

        Select one of the virtual IPsec interfaces.

        Source

        All

        Destination

        All

        Schedule

        Always

        Service

        All

        Action

        ACCEPT

      3. Click OK.
      4. Click Create New and configure the policy for the other direction of traffic:

        Name

        Enter a name for the policy.

        Incoming Interface

        Select one of the virtual IPsec interfaces.

        Outgoing Interface

        Select the local interface to the internal (private) network.

        Source

        All

        Destination

        All

        Schedule

        Always

        Service

        All

        Action

        ACCEPT

      5. In the policy list, drag the VPN policies above any other policies with similar source and destination addresses.
    2. Repeat these steps to create the policies for the three remaining paths.

    Creating a backup IPsec interface

    A route-based VPN can be configured to act as a backup IPsec interface when the main VPN is out of service. This can only be configured in the CLI.

    The backup feature works on interfaces with static addresses that have dead peer detection enabled. The monitor option creates a backup VPN for the specified phase 1 configuration.

    To create a backup IPsec interface:
    config vpn ipsec phase1-interface
    edit main_vpn
        set dpd on-demand
        set interface port1
        set nattraversal enable
        set psksecret ********
        set remote-gw 192.168.10.8
        set type static
    next
    edit backup_vpn
        set dpd on-demand
        set interface port2
        set monitor main_vpn
        set nattraversal enable
        set psksecret ********
        set remote-gw 192.168.10.8
        set type static
    next
end
    Previous
    Next