Professional Documents
Culture Documents
Fail Over IPSec Site-To-Site VPN With Redundant Link On FortiGate Firewall
Fail Over IPSec Site-To-Site VPN With Redundant Link On FortiGate Firewall
FortiGate Firewall
1. Overview:
At the branch site, we use the FortiGate firewall master and slave to establish VPN site to site
with HQ. At HQ, there are two small locations, each location placed one firewall and backup
together.
To backup for link internet from the Branch site to ISP, we must deploy two links with two
different ISP. Each ISP provides one public IP address.
For each IP address, we set up two Ipsec VPN links from Branch’s firewall to two firewalls at
HQ.
For each public ip address of Branch’s firewall, we configure one Aggregate link include two
tunnel links established with two firewalls at HQ site.
To perform backup link and device, we need configure link monitor on Firewall FortiGate.
2. Planning:
HA (port1)
3. Configuration Task:
- Setup connection, ip address, dhcp, routing ospf on the Firewall and router.
- Configure failover master - slave between two firewalls FW-Campus-Master and FW-
Campus-Slave.
- Configure routing OSPF between two FortiGate Firewall and Router Backbone at HQ
with bfd under ospf for high availability and distribute-list deny default-route learned via
OSPF together.
- Configure link-monitor internet gateway on each firewall to track default static route.
- Configure VPN aggregate link include two members tunnel links as above to
redundancy.
4. Configuration and Verification:
RTR-BB
FW-HQ-2
FW-Campus-master
!-----------------Configure HA ------------------!
config system ha
set group-name "FW-Campus-cluster"
set mode a-p
set password ENC
set hbdev "port2" 0
set override disable
end
!-----------------Configure interface ------------------!
config system interface
edit "port1"
set vdom "root"
set ip 192.168.74.137 255.255.255.0
set allowaccess ping https ssh snmp http
set type physical
set alias "Mgmt"
set snmp-index 1
next
edit "port3"
set vdom "root"
set ip 172.19.101.254 255.255.255.0
set allowaccess ping https ssh
set type physical
set alias "outside_1"
set role wan
set snmp-index 3
next
edit "port4"
set vdom "root"
set ip 172.19.102.254 255.255.255.0
set allowaccess ping https ssh
set type physical
set alias "outside_2"
set role wan
set snmp-index 4
next
edit "port5"
set vdom "root"
set ip 10.177.177.254 255.255.255.0
set allowaccess ping https ssh
set type physical
set alias "inside"
set role lan
set snmp-index 5
next
end
!-----------------Configure routing ------------------!
config system link-monitor
edit "TRACK-ISP1-GW"
set srcintf "port3"
set server "172.19.101.1"
set gateway-ip 172.19.101.1
set source-ip 172.19.101.254
next
end
config router static
edit 1
set gateway 172.19.101.1
set priority 10
set device "port3"
next
edit 2
set gateway 172.19.102.1
set priority 20
set device "port4"
next
end
!-----------------Configure VPN l2l------------------!
1. Create VPN tunnel link
Verification:
Normal
Link VPN via ISP1 to FW-HQ-1 primary
PC1> ping 10.177.177.1