Fail Over IPSec Site-To-Site VPN With Redundant Link On FortiGate Firewall

Fail Over IPSec Site-to-Site VPN with redundant link on
FortiGate Firewall
1. Overview:
At the branch site, we use the FortiGate firewall master and slave to establish VPN site to site
with HQ. At HQ, there are two small locations, each location placed one firewall and backup
together.
To backup for link internet from the Branch site to ISP, we must deploy two links with two
different ISP. Each ISP provides one public IP address.
For each IP address, we set up two Ipsec VPN links from Branch’s firewall to two firewalls at
HQ.
For each public ip address of Branch’s firewall, we configure one Aggregate link include two
tunnel links established with two firewalls at HQ site.
To perform backup link and device, we need configure link monitor on Firewall FortiGate.
2. Planning:
Firewall Interface IP address Interface is Routing

name connected to: protocol
inside (port3) 10.92.100.254 HQ LAN OSPF

FW-HQ-1
outside (port2) 172.18.101.2 Internet GW Static
FW-HQ-2 inside (port3) 10.92.100.253 HQ LAN OSPF
outside (port2) 172.18.102.2 Internet GW Static
inside (port5) 10.177.177.254 BR LAN Connected

FW-
Campus
Outside_1 (port3) 172.19.101.254 ISP1 GW Static
(Master –
Slave)
Outside_2 (port4) 172.19.102.254 ISP2 GW Static
Firewall Interface IP address Interface is Routing
name connected to: protocol
HA (port1)
Firewall VPN Aggregate VPN tunnel IP add local IP add remote

name link
VPN_ISP1 172.18.101.2 172.19.101.254

FW-HQ-1 VPN_to_BR
VPN_ISP2 172.18.101.2 172.19.102.254
FW-HQ-2 VPN_ISP1 172.18.102.2 172.19.101.254

VPN_to_BR
VPN_ISP2 172.18.102.2 172.19.102.254
VPN_ISP1_1 172.19.101.254 172.18.101.2

VPN_ISP1
FW-
VPN_ISP1_2 172.19.101.254 172.18.102.2
Campus
(Master –
VPN_ISP2_1 172.19.101.254 172.18.102.2
Slave)
VPN_ISP2
VPN_ISP2_2 172.19.101.254 172.18.102.2
3. Configuration Task:
- Setup connection, ip address, dhcp, routing ospf on the Firewall and router.
- Configure failover master - slave between two firewalls FW-Campus-Master and FW-
Campus-Slave.
- Configure routing OSPF between two FortiGate Firewall and Router Backbone at HQ
with bfd under ospf for high availability and distribute-list deny default-route learned via
OSPF together.
- Configure link-monitor internet gateway on each firewall to track default static route.
- Configure VPN aggregate link include two members tunnel links as above to
redundancy.
4. Configuration and Verification:
RTR-BB
ip dhcp excluded-address 10.92.92.254

!
ip dhcp pool LAN
network 10.92.92.0 255.255.255.0
dns-server 8.8.8.8
default-router 10.92.92.254
!
interface GigabitEthernet0/0
ip address 10.92.92.254 255.255.255.0
!
interface GigabitEthernet0/1
ip address 10.92.100.1 255.255.255.0
ip ospf 2 area 0
!
router ospf 2
redistribute connected metric-type 1 subnets
FW-HQ-1
!-----------------Configure interface ------------------!

config system interface
edit "port1"
set vdom "root"
set ip 192.168.74.135 255.255.255.0
set allowaccess ping https ssh snmp http
set type physical
set alias "Mgmt"
next
edit "port2"
set vdom "root"
set ip 172.18.101.2 255.255.255.0
set allowaccess ping https ssh
set type physical
set alias "Outside"
set role wan
next
edit "port3"
set vdom "root"
set ip 10.92.100.254 255.255.255.0
set type physical
set alias "inside"
set role lan
next
!-----------------Configure routing ------------------!
config router access-list
edit "DEFAULT_IN"
config rule
edit 1
set prefix 10.92.100.0 255.255.255.0
set exact-match enable
next
edit 2
set prefix 10.92.92.0 255.255.255.0
next
edit 10
set action deny
set prefix 0.0.0.0 0.0.0.0
next
end
next
end
config router ospf
set default-information-originate enable
set default-information-metric-type 1
set router-id 10.92.100.254
set bfd enable
set distribute-list-in "DEFAULT_IN"
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "inside"
set interface "port3"
set cost 1
set dead-interval 40
set hello-interval 10
set bfd enable
next
end
config network
edit 1
set prefix 10.92.100.0 255.255.255.0
next
end
config router bfd
config neighbor
edit 10.92.100.1
next
end
end
config system link-monitor
edit "TRACK-INTERNET-GATEWAY"
set srcintf "port2"
set server "172.18.101.1"
set gateway-ip 172.18.101.1
set source-ip 172.18.101.2
next
end
config router static
edit 1
set gateway 172.18.101.1
set device "port2"
next
end
!-----------------Configure VPN l2l------------------!
1. Create VPN tunnel link
config vpn ipsec phase1-interface

edit "VPN_ISP1"
set aggregate-member enable
set proposal des-md5 des-sha1
set comments "VPN_l2l_via_ISP1"
set nattraversal disable
set remote-gw 172.19.101.254
set psksecret ENC
set dpd-retrycount 2
set dpd-retryinterval 3
next
end
edit "VPN_ISP2"
set remote-gw 172.19.102.254
set psksecret ENC
next
end
edit "VPN_ISP1"
set phase1name "VPN_ISP1"
set src-addr-type name
set dst-addr-type name
set src-name "LAN-LOCAL"
set dst-name "LAN-BR"
next
end
edit "VPN_ISP2"
next
end
2. Add two tunnel links into Aggregate
config system ipsec-aggregate

edit "VPN_to_BR"
set member "VPN_ISP1" "VPN_ISP2"
set algorithm redundant
next
end
3. Add static route via VPN Aggregate interface

edit 2
set dst 10.177.177.0 255.255.255.0
set device "VPN_to_BR"
next
edit 3
set dst 10.177.177.0 255.255.255.0
set distance 50
set blackhole enable
next
end
4. Add policy rule for traffic VPN L2L
config firewall policy

edit 1
set name "INTERNET"
set srcintf "port3"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 2
set name "VPN_OUT"
set srcintf "port3"
set dstintf "VPN_to_BR"
set srcaddr "LAN-LOCAL"
set dstaddr "LAN-BR"
set action accept
set service "ALL"
next
edit 3
set name "VPN_IN"
set srcintf "VPN_to_BR"
set dstintf "port3"
set srcaddr "LAN-BR"
set dstaddr "LAN-LOCAL"
set action accept
set service "ALL"
next
end
FW-HQ-2

edit "port1"
set vdom "root"
set ip 192.168.74.136 255.255.255.0
set type physical
set alias "Mgmt"
next
edit "port2"
set vdom "root"
set ip 172.18.102.2 255.255.255.0
set type physical
set alias "Outside"
set role wan
next
edit "port3"
set vdom "root"
set ip 10.92.100.253 255.255.255.0
set type physical
set alias "inside"
set role lan
next
config router access-list
edit "DEFAULT_IN"
config rule
edit 1
set prefix 10.92.100.0 255.255.255.0
next
edit 2
set prefix 10.92.92.0 255.255.255.0
next
edit 10
set action deny
set prefix 0.0.0.0 0.0.0.0
next
end
next
end
config router ospf
set default-information-originate enable
set default-information-metric-type 1
set router-id 10.92.100.253
set bfd enable
set distribute-list-in "DEFAULT_IN"
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "inside"
set cost 1
set dead-interval 40
set hello-interval 10
set bfd enable
next
end
config network
edit 1
set prefix 10.92.100.0 255.255.255.0
next
end
config router bfd
config neighbor
edit 10.92.100.1
next
end
end
edit "TRACK-INTERNET-GATEWAY"
set srcintf "port2"
set server "172.18.102.1"
set source-ip 172.18.102.1
next
end
edit 1
set device "port2"
next
end
!-----------------Configure VPN l2l------------------!

edit "VPN_ISP1"
set remote-gw 172.19.101.254
set psksecret ENC
next
end
edit "VPN_ISP2"
set remote-gw 172.19.102.254
set psksecret ENC
next
end
edit "VPN_ISP1"
next
end
edit "VPN_ISP2"
next
end

edit "VPN_to_BR"
set member "VPN_ISP1" "VPN_ISP2"
next
end

edit 2
set dst 10.177.177.0 255.255.255.0
set device "VPN_to_BR"
next
edit 3
set dst 10.177.177.0 255.255.255.0
set distance 50
next
end

edit 1
set name "INTERNET"
set srcintf "port3"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set logtraffic all
set nat enable
next
edit 2
set name "VPN_OUT"
set srcintf "port3"
set dstintf "VPN_to_BR"
set dstaddr "LAN-BR"
set action accept
set service "ALL"
next
edit 3
set name "VPN_IN"
set srcintf "VPN_to_BR"
set dstintf "port3"
set srcaddr "LAN-BR"
set action accept
set service "ALL"
next
end
FW-Campus-master
!-----------------Configure HA ------------------!
config system ha
set group-name "FW-Campus-cluster"
set mode a-p
set password ENC
set hbdev "port2" 0
set override disable
end
edit "port1"
set vdom "root"
set ip 192.168.74.137 255.255.255.0
set type physical
set alias "Mgmt"
set snmp-index 1
next
edit "port3"
set vdom "root"
set ip 172.19.101.254 255.255.255.0
set type physical
set alias "outside_1"
set role wan
set snmp-index 3
next
edit "port4"
set vdom "root"
set ip 172.19.102.254 255.255.255.0
set type physical
set alias "outside_2"
set role wan
set snmp-index 4
next
edit "port5"
set vdom "root"
set ip 10.177.177.254 255.255.255.0
set type physical
set alias "inside"
set role lan
set snmp-index 5
next
end
edit "TRACK-ISP1-GW"
set srcintf "port3"
set server "172.19.101.1"
set source-ip 172.19.101.254
next
end
edit 1
set priority 10
set device "port3"
next
edit 2
set priority 20
set device "port4"
next
end
!-----------------Configure VPN l2l------------------!

edit "VPN_ISP1_1"
set comments "VPN_l2l_ISP1_to_FW1"
set remote-gw 172.18.101.2
set psksecret ENC set dpd-retrycount 2
next
edit "VPN_ISP1_2"
set psksecret ENC
next
edit "VPN_ISP2_1"
set peertype any
set psksecret ENC
next
edit "VPN_ISP2_2"
set psksecret ENC
next
end
edit "VPN_ISP1_1"
set phase1name "VPN_ISP1_1"
set dst-name "LAN-HQ"
next
edit "VPN_ISP1_2"
next
edit "VPN_ISP2_1"
next
edit "VPN_ISP2_2"
next
end

edit "VPN_ISP1"
set member "VPN_ISP1_1" "VPN_ISP1_2"
next
edit "VPN_ISP2"
set member "VPN_ISP2_1" "VPN_ISP2_2"
next
end

edit 3
set dst 10.92.92.0 255.255.255.0
set priority 10
set device "VPN_ISP1"
next
edit 4
set dst 10.92.92.0 255.255.255.0
set priority 20
set device "VPN_ISP2"
next
edit 5
set dst 10.92.92.0 255.255.255.0
set distance 50
next
end

edit 1
set name "INTERNET_1"
set srcintf "port5"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set nat enable
next
edit 2
set name "INTERNET_2"
set srcintf "port5"
set dstintf "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set nat enable
next
edit 3
set name "VPN_ISP1_IN"
set srcintf "VPN_ISP1"
set dstintf "port5"
set srcaddr "LAN-HQ"
set action accept
set service "ALL"
next
edit 4
set name "VPN_ISP1_OUT"
set srcintf "port5"
set dstintf "VPN_ISP1"
set dstaddr "LAN-HQ"
set action accept
set service "ALL"
next
edit 5
set name "VPN_ISP2_OUT"
set srcintf "port5"
set dstintf "VPN_ISP2"
set dstaddr "LAN-HQ"
set action accept
set service "ALL"
next
edit 6
set name "VPN_ISP2_IN"
set srcintf "VPN_ISP2"
set dstintf "port5"
set srcaddr "LAN-HQ"
set action accept
set service "ALL"
next
end
Verification:
Normal
 Link VPN via ISP1 to FW-HQ-1 primary
PC1> ping 10.177.177.1
84 bytes from 10.177.177.1 icmp_seq=1 ttl=63 time=7.039 ms

PC2> ping 10.92.92.1

When down VPN l2l to FW-HQ-1 (172.18.101.2)
 Link VPN via ISP1 to FW-HQ-2 backup secondary

PC1> ping 10.177.177.1
10.177.177.1 icmp_seq=1 timeout

PC2> ping 10.92.92.1

When down link to ISP1 at Branch

 Link VPN via ISP1 to FW-HQ-2 backup
PC1> ping 10.177.177.1
10.177.177.1 icmp_seq=1 timeout

PC2> ping 10.92.92.1


Fail Over IPSec Site-To-Site VPN With Redundant Link On FortiGate Firewall

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fail Over IPSec Site-To-Site VPN With Redundant Link On FortiGate Firewall

Uploaded by

Copyright:

Available Formats

Fail Over IPSec Site-to-Site VPN with redundant link on

Firewall Interface IP address Interface is Routing

inside (port3) 10.92.100.254 HQ LAN OSPF

FW-HQ-2 inside (port3) 10.92.100.253 HQ LAN OSPF

outside (port2) 172.18.102.2 Internet GW Static

inside (port5) 10.177.177.254 BR LAN Connected

Firewall VPN Aggregate VPN tunnel IP add local IP add remote

VPN_ISP1 172.18.101.2 172.19.101.254

FW-HQ-2 VPN_ISP1 172.18.102.2 172.19.101.254

VPN_ISP1_1 172.19.101.254 172.18.101.2

ip dhcp excluded-address 10.92.92.254

!-----------------Configure interface ------------------!

config vpn ipsec phase1-interface

config system ipsec-aggregate

config router static

config firewall policy

!-----------------Configure interface ------------------!

config vpn ipsec phase1-interface

config system ipsec-aggregate

config router static

config firewall policy

config vpn ipsec phase1-interface

config system ipsec-aggregate

config router static

config firewall policy

84 bytes from 10.177.177.1 icmp_seq=1 ttl=63 time=7.039 ms

PC2> ping 10.92.92.1

84 bytes from 10.92.92.1 icmp_seq=1 ttl=63 time=10.037 ms

When down VPN l2l to FW-HQ-1 (172.18.101.2)

 Link VPN via ISP1 to FW-HQ-2 backup secondary

10.177.177.1 icmp_seq=1 timeout

PC2> ping 10.92.92.1

84 bytes from 10.92.92.1 icmp_seq=1 ttl=63 time=12.302 ms

When down link to ISP1 at Branch

10.177.177.1 icmp_seq=1 timeout

PC2> ping 10.92.92.1

84 bytes from 10.92.92.1 icmp_seq=1 ttl=63 time=12.302 ms

You might also like