My client has many IPSEC VPNs set up on their primary ISP interface. Today when primary ISP went down and secondary took over on-site, VPNs obviously did not work because they are not also configured on the secondary ISP.
I need to set up vpn redundancy on the second link. Idea is to configure IPSec tunnels to the same remote locations, just on my secondary ISP interface. Would I set up a second set of IPsec tunnels for the second ISP? maybe set static route at a lower priority than the primary?
Thanks in advance. FortiOS 7.0.9
Create two tunnels, either statically or dial-up at the hub site and use SD-WAN to bundle the IPsec interfaces. Use SD-WAN tracking to load-balance or failover between them.
Job done.
Mainly want to confirm I can just create both VPNs and set the static route for the second one to have a higher distance.
Can do it a few ways.
Static will only work if the physical interface goes down and causes the tunnel to go down too. You can make the backup dependent on the first tunnel but I personally prefer either sdwan or bgp as it’s a bit more configurable.
You could follow this link, and use priority on the static route instead of distance. You can do this with link monitoring: Technical Tip: IPsec VPN: Site-to-Site tunnel moni... - Fortinet Community
That is the way I do it on the sites that I have not been able to change to SD-WAN.
Can confirm, how it’s traditionally done. ‘Floating static routes’.
Create two tunnels and set the secondary phase1 to monitor the primary. Secondary tunnel will only get up when the primary fails. Routes will deactivate and activate automatically.
Alternatively you can use IPSec Aggregate if you do not use Security Fabric over IPSEC and have both paths active and doing load balance.
You can still set the secondary phase1 to monitor the primary and the IPSEC aggregate will only use the secondary when the primary fails. You will only need one route to the IPSEC aggregate interface.