Chapter 11 IPsec VPN for FortiOS 5.0 : Redundant VPN configurations : Configure the VPN peers - route-based VPN
  
Configure the VPN peers - route-based VPN
VPN peers are configured using Interface Mode for redundant tunnels.
Configure each VPN peer as follows:
1. Ensure that the interfaces used in the VPN have static IP addresses.
2. Create a phase 1 configuration for each of the paths between the peers. Enable IPsec Interface mode so that this creates a virtual IPsec interface. Enable dead peer detection so that one of the other paths is activated if this path fails.
Enter these settings in particular, and any other VPN settings as required:
Path 1
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the primary interface of the remote peer.
Local Interface
Select the primary public interface of this peer.
Enable IPsec Interface Mode
Enable
Dead Peer Detection
Enable
Path 2
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the secondary interface of the remote peer.
Local Interface
Select the primary public interface of this peer.
Enable IPsec Interface Mode
Enable
Dead Peer Detection
Enable
Path 3
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the primary interface of the remote peer.
Local Interface
Select the secondary public interface of this peer.
Enable IPsec Interface Mode
Enable
Dead Peer Detection
Enable
Path 4
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the secondary interface of the remote peer.
Local Interface
Select the secondary public interface of this peer.
Enable IPsec Interface Mode
Enable
Dead Peer Detection
Enable
For more information, see “Auto Key phase 1 parameters”.
3. Create a phase 2 definition for each path. See “Phase 2 parameters”. Select the phase 1 configuration (virtual IPsec interface) that you defined for this path. You can select the name from the Static IP Address part of the list.
4. Create a route for each path to the other peer. If there are two ports on each peer, there are four possible paths between the peer devices.
Destination IP/Mask
The IP address and netmask of the private network behind the remote peer.
Device
One of the virtual IPsec interfaces on the local peer.
Distance
For each path, enter a different value to prioritize the paths.
5. Define the security policy for the local primary interface. See “Defining VPN security policies”. You need to create two policies for each path to enable communication in both directions. Enter these settings in particular:
Incoming Interface
Select the local interface to the internal (private) network.
Source Address
All
Outgoing Interface
Select one of the virtual IPsec interfaces you created in Step 2.
Destination Address
All
Schedule
Always
Service
Any
Action
ACCEPT
6. Select Create New, leave the Policy Type as Firewall and leave the Policy Subtype as Address, and enter these settings:
Incoming Interface
Select one of the virtual IPsec interfaces you created in Step 2.
Source Address
All
Outgoing Interface
Select the local interface to the internal (private) network.
Destination Address
All
Schedule
Always
Service
Any
Action
ACCEPT
7. Place the policy in the policy list above any other policies having similar source and destination addresses.
8. Repeat this procedure at the remote FortiGate unit.