Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pcavalcante
Staff
Staff

Created on ‎09-15-2023 12:27 AM Edited on ‎09-15-2023 12:28 AM By Moderator

Article Id 273840

Technical Tip: Setting up IPsec VPN Failover for Internet Access in FortiGate

Description

This article describes the process of configuring an IPsec VPN as a failover route to maintain uninterrupted internet access in the event of a primary ISP connection failure.

 

The scenario involves two sites, Site1 and Site2, where the primary objective is to establish an IPsec VPN tunnel through Site2 to ensure continuous connectivity for critical operations, even during network interruptions.
Scope

Imagine a scenario where there are two sites, Site1 and Site2. To ensure continuous internet access at Site1, it is wanted to establish an IPsec VPN tunnel as a failover route through Site2 in case Site1's primary ISP link goes down. This configuration helps maintain seamless connectivity even in the face of network interruptions.

 

Scenario.png
Solution

Step 1: Configure a Dummy Network Between the Peers (Performed on Both Sites).

Begin by creating a dummy network between Site1 and Site2. This is a fundamental step for routing internet traffic through the IPsec tunnel.

 

On Site1:

  1. Navigate to Network -> Interfaces.
  2. Edit the PORT used for the IPsec interface.
  3. Set a dummy network IP Address, such as 10.0.0.1/32.

 Dummy1.png

 

On Site2:

Perform identical steps as Site1 but assign the IP Address as 10.0.0.2/32.

 

Step 2: Adjust IPsec Configuration (Perform on Both Sites).

Update the IPsec Phase 2 selectors to permit all traffic through the IPsec tunnel. Modify the Local and Remote Addresses to 0.0.0.0/0.0.0.0.

 

IPSEC.png

 

Step 3: Configure SD-WAN (Perform on Site1).

  1. Create an SD-WAN Zone including the WAN and IPsec interfaces:
    • Create an SD-WAN zone to encompass both the WAN and IPsec interfaces. This is essential for traffic management and failover.
    • Go to Network -> SD-WAN.
    • Select Create New -> SD-WAN Member.
    • Select the WAN interface.
    • Select OK.
    • Create another member for the IPsec interface following the same steps.

 

Members.png

 

Step 4: Create 2 SD-WAN Rules (Perform on Site1).

Establish two SD-WAN rules to effectively manage traffic.

 

Rule 1 - IPsec Traffic:

This rule directs IPsec traffic appropriately.

  1. Navigate to Network -> SD-WAN.
  2. Select SD-WAN Rules.
  3. Select Create New.
  4. Add the Local Subnet object as the Source Address.
  5. Add the Destination Subnet object as the Destination Address.
  6. Choose Manual for Outgoing interfaces.
  7. Add the IPsec interface to Interface Preferences.
  8. Select OK.

 IPSEC Traffic.png

 

Rule 2 - Default Traffic:

This rule manages all other traffic.

  1. Navigate to Network -> SD-WAN.
  2. Select SD-WAN Rules.
  3. Select Create New.
  4. Add the 'all' object as the Source Address.
  5. Add the 'all' object as the Destination Address.
  6. Choose Manual for Outgoing interfaces.
  7. Add the WAN interface and then the IPsec interface (in this order) to Interface Preferences.
  8. Select OK.

 

Defaul Traffic.png

 

Step 5: Setup Performance SLAs to Enable Traffic Failover.


SLA.png
3940
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.