FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 198021
Article

Description

Case Study: Using IPSec VPN as backup for Private WAN

Introduction

When using a private WAN such as Frame Relay, ATM or dedicated point-to-point link, it may be desirable to use an IPSec tunnel(s) over the Internet to act as the backup in the event that the private WAN is inaccessible.

This case study assumes you have a FortiGate 60 at both sites and that both sites have access to:

  • private WAN using the WAN1 interface
  • the Internet using the WAN2 interface

Steps or Commands

WAN2 (IPSec VPN) can act as a backup from WAN1 (private WAN).

You need the following (on both ends):

  • Routing
    a) equal distance static routes on both WAN1 and WAN2
    b) policy route indicating WAN1 as the preference

  • 2) Firewall Policies
    a) INT >> WAN1
        action=ACCEPT

    b) INT >> WAN2
        action=ENCRYPT

If WAN1 is up (as defined by link status or ping server), the FortiGate unit routes traffic across WAN1.

If WAN1 is down, the FortiGate unit forwards traffic across the VPN tunnel (on WAN2).

Note: Fail-over and fail-back only affects new, not existing, sessions.