FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 14 - IPsec VPN > Redundant VPN configurations > Configure the VPN peers - route-based VPN

Configure the VPN peers - route-based VPN

VPN peers are configured using Interface Mode for redundant tunnels.

Configure each VPN peer as follows:

  1. Ensure that the interfaces used in the VPN have static IP addresses.
  2. Create a Phase 1 configuration for each of the paths between the peers.
  3. Enable dead peer detection so that one of the other paths is activated if this path fails.
  4. Enter these settings in particular, and any other VPN settings as required:

    Path 1
Remote Gateway Select Static IP Address.
IP Address Type the IP address of the primary interface of the remote peer.
Local Interface Select the primary public interface of this peer.
Dead Peer Detection Enable

Path 2

Remote Gateway Select Static IP Address.
IP Address Type the IP address of the secondary interface of the remote peer.
Local Interface Select the primary public interface of this peer.
Dead Peer Detection Enable

Path 3

Remote Gateway Select Static IP Address.
IP Address Type the IP address of the primary interface of the remote peer.
Local Interface Select the secondary public interface of this peer.
Dead Peer Detection Enable

Path 4

Remote Gateway Select Static IP Address.
IP Address Type the IP address of the secondary interface of the remote peer.
Local Interface Select the secondary public interface of this peer.
Dead Peer Detection Enable

For more information, see Phase 1 parameters.

  1. Create a Phase 2 definition for each path. See Phase 2 parameters. Select the Phase 1 configuration (virtual IPsec interface) that you defined for this path. You can select the name from the Static IP Address part of the list.
  2. Create a route for each path to the other peer. If there are two ports on each peer, there are four possible paths between the peer devices.
Destination IP/Mask The IP address and netmask of the private network behind the remote peer.
Device One of the virtual IPsec interfaces on the local peer.
Distance For each path, enter a different value to prioritize the paths.
  1. Define the security policy for the local primary interface. See Defining VPN security policies. You need to create two policies for each path to enable communication in both directions. Enter these settings in particular:
Incoming Interface Select the local interface to the internal (private) network.
Source Address All
Outgoing Interface Select one of the virtual IPsec interfaces you created in Step 2.
Destination Address All
Schedule Always
Service Any
Action ACCEPT
  1. Select Create New, leave the Policy Type as Firewall and leave the Policy Subtype as Address, and enter these settings:
Incoming Interface Select one of the virtual IPsec interfaces you created in Step 2.
Source Address All
Outgoing Interface Select the local interface to the internal (private) network.
Destination Address All
Schedule Always
Service Any
Action ACCEPT
  1. Place the policy in the policy list above any other policies having similar source and destination addresses.
  2. Repeat this procedure at the remote FortiGate unit.