Redundant route-based VPN configuration example

Redundant route-based VPN configuration example

This example demonstrates a fully redundant site-to-site VPN configuration using route-based VPNs. At each site, the FortiGate unit has two interfaces connected to the Internet through different ISPs. This means that there are four possible paths for communication between the two units. In this example, these paths, listed in descending priority, are:

  • FortiGate_1 WAN 1 to FortiGate_2 WAN 1
  • FortiGate_1 WAN 1 to FortiGate_2 WAN 2
  • FortiGate_1 WAN 2 to FortiGate_2 WAN 1
  • FortiGate_1 WAN 2 to FortiGate_2 WAN 2

 

Example redundant route-based VPN configuration

For each path, VPN configuration, security policies and routing are defined. By specifying a different routing distance for each path, the paths are prioritized. A VPN tunnel is established on each path, but only the highest priority one is used. If the highest priority path goes down, the traffic is automatically routed over the next highest priority path. You could use dynamic routing, but to keep this example simple, static routing is used.

 

Configuring FortiGate_1

When configuring FortiGate_1, you must:

  • Configure the interfaces involved in the VPN.
  • Define the Phase 1 configuration for each of the four possible paths, creating a virtual IPsec interface for each one.
  • Define the Phase 2 configuration for each of the four possible paths.
  • Configure routes for the four IPsec interfaces, assigning the appropriate priorities.
  • Configure incoming and outgoing security policies between the internal interface and each of the virtual IPsec interfaces.

 

To configure the network interfaces

1. Go to Network > Interfaces.

2. Select the Internal interface and select Edit.

3. Enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 10.21.101.0/255.255.255.0

4. Select the WAN1 interface and select Edit, enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 192.168.10.2/255.255.255.0

5. Select the WAN2 interface and select Edit, enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 172.16.20.2/255.255.255.0

 

To configure the IPsec interfaces (Phase 1 configurations)

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.

2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

3. Enter the following information, and select OK:

Name                                           Site_1_A

Remote Gateway                       Static IP Address

IP Address                                 192.168.20.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

4. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_1_B

Remote Gateway                       Static IP Address

IP Address                                 172.16.30.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

5. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_1_C

Remote Gateway                       Static IP Address

IP Address                                 192.168.20.2

Local Interface                          WAN2

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

6. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_1_D

Remote Gateway                       Static IP Address

IP Address                                 172.16.30.2

Local Interface                          WAN2

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

 

To define the Phase 2 configurations for the four VPNs

1. Open the Phase 2 Selectors panel.

2. Enter the following information and select OK:

Name                                           Route_A

Phase 1                                       Site_1_A

3. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_B

Phase 1                                       Site_1_B

4. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_C

Phase 1                                       Site_1_C

5. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_D

Phase 1                                       Site_1_D

 

To configure routes

1. Go to Network > Static Routes.

2. Select Create New, enter the following default gateway information and then select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         WAN1

Gateway                                     192.168.10.1

Distance (Advanced)                10

3. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.31.101.0/255.255.255.0

Device                                        Site_1_A

Distance (Advanced)                1

4. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.31.101.0/255.255.255.0

Device                                        Site_1_B

Distance (Advanced)                2

5. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.31.101.0/255.255.255.0

Device                                        Site_1_C

Distance (Advanced)                3

6. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.31.101.0/255.255.255.0

Device                                        Site_1_D

Distance (Advanced)                4

 

To configure security policies

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information, and then select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_A

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

3. Select Create New.

4. Enter the following information, and select OK:

Incoming Interface                   Site_1_A

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

5. Select Create New.

6. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_B

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

7. Select Create New.

8. Enter the following information, and select OK:

Incoming Interface                   Site_1_B

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

9. Select Create New.

10. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_C

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

11. Select Create New.

12. Enter the following information, and select OK:

Incoming Interface                   Site_1_C

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

13. Select Create New.

14. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_D

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

5. Select Create New.

16. Enter the following information, and select OK:

Incoming Interface                   Site_1_D

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

 

Configuring FortiGate_2

The configuration for FortiGate_2 is very similar to that of FortiGate_1. You must:

  • Configure the interfaces involved in the VPN.
  • Define the Phase 1 configuration for each of the four possible paths, creating a virtual IPsec interface for each one.
  • Define the Phase 2 configuration for each of the four possible paths.
  • Configure routes for the four IPsec interfaces, assigning the appropriate priorities.
  • Configure incoming and outgoing security policies between the internal interface and each of the virtual IPsec interfaces.

 

To configure the network interfaces

1. Go to Network > Interfaces.

2. Select the Internal interface and then select Edit. Enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 10.31.101.0/255.255.255.0

3. Select the WAN1 interface and then select Edit. Enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 192.168.20.2/255.255.255.0

4. Select the WAN2 interface and then select Edit. Enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 172.16.30.2/255.255.255.0

 

To configure the IPsec interfaces (Phase 1 configurations)

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.

2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

3. Enter the following information, and select OK:

Name                                           Site_2_A

Remote Gateway                       Static IP Address

IP Address                                 192.168.10.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

4. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_2_B

Remote Gateway                       Static IP Address

IP Address                                 172.16.20.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

5. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_2_C

Remote Gateway                       Static IP Address

IP Address                                 192.168.10.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

6. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_2_D

Remote Gateway                       Static IP Address

IP Address                                 172.16.20.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

 

To define the Phase 2 configurations for the four VPNs

1. On the first VPN route, open the Phase 2 Selectors panel.

2. Enter the following information and select OK:

Name                                           Route_A

Phase 1                                       Site_2_A

3. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_B

Phase 1                                       Site_2_B

4. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_C

Phase 1                                       Site_2_C

5. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_D

Phase 1                                       Site_2_D

 

To configure routes

1. Go to Network > Static Routes.

2. Select Create New, enter the following default gateway information and then select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         WAN1

Gateway                                     192.168.10.1

Distance (Advanced)                10

3. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_A

Distance (Advanced)                1

4. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_B

Distance (Advanced)                2

5. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_C

Distance (Advanced)                3

6. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_D

Distance (Advanced)                4

 

To configure security policies

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_A

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

3. Select Create New.

4. Enter the following information, and select OK:

Incoming Interface                   Site_2_A

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

5. Select Create New.

6. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_B

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

7. Select Create New.

8. Enter the following information, and select OK:

Incoming Interface                   Site_2_B

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

9. Select Create New.

10. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_C

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

11. Select Create New.

12. Enter the following information, and select OK:

Incoming Interface                   Site_2_C

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

13. Select Create New.

14. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_D

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

15. Select Create New.

16. Enter the following information, and select OK:

Incoming Interface                   Site_2_D

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.