Redundant route-based VPN configuration example

Chapter 11 IPsec VPN for FortiOS 5.0 : Redundant VPN configurations : Redundant route-based VPN configuration example

This example demonstrates a fully redundant site-to-site VPN configuration using route-based VPNs. At each site, the FortiGate unit has two interfaces connected to the Internet through different ISPs. This means that there are four possible paths for communication between the two units. In this example, these paths, listed in descending priority, are:

• FortiGate_1 WAN 1 to FortiGate_2 WAN 1

• FortiGate_1 WAN 1 to FortiGate_2 WAN 2

• FortiGate_1 WAN 2 to FortiGate_2 WAN 1

• FortiGate_1 WAN 2 to FortiGate_2 WAN 2

Figure 271: Example redundant route-based VPN configuration

For each path, VPN configuration, security policies and routing are defined. By specifying a different routing distance for each path, the paths are prioritized. A VPN tunnel is established on each path, but only the highest priority one is used. If the highest priority path goes down, the traffic is automatically routed over the next highest priority path. You could use dynamic routing, but to keep this example simple, static routing is used.