VPN
Redundant IPSec VPNs
FortiGate-3000 Administration Guide
01-28006-0010-20041105
295
See
“To add a firewall policy” on page 204
.
6
Arrange the policies in the following order:
• outbound encrypt policies
• inbound encrypt policy
• default non-encrypt policy (Internal_All -> External_All)
Redundant IPSec VPNs
To ensure the continuous availability of an IPSec VPN tunnel, you can configure
multiple connections between the local FortiGate unit and the remote VPN peer
(remote gateway). With a redundant configuration, if one connection fails, the
FortiGate unit establishes a tunnel using the other connection.
The configuration depends on the number of connections that each VPN peer has to
the Internet. For example, if the local VPN peer has two connections to the Internet,
then it can provide one redundant connection to the remote VPN peer.
A single VPN peer can be configured with up to three redundant connections.
The VPN peers are not required to have a matching number of Internet connections.
For example, between two VPN peers, one peer can have multiple Internet
connections while the other has only one Internet connection. In the case of an
asymmetrical configuration, the level of redundancy varies from one end of the VPN to
the other.
Configuring redundant IPSec VPNs
For each FortiGate unit, first add multiple (two or more) external interfaces. Then
assign each interface to an external zone. Finally, add a route to the Internet through
each interface.
Source
The local VPN spoke address.
Destination
External_All
Action
ENCRYPT
VPN Tunnel
The VPN tunnel name added in step
1
. (Use the same tunnel for all encrypt
policies.)
Allow inbound
Select allow inbound.
Allow outbound
Do not enable.
Inbound NAT
Select inbound NAT if required.
Outbound NAT
Select outbound NAT if required.
Note:
The default non-encrypt policy is required to allow the VPN spoke to access other
networks, such as the Internet.
Note:
IPSec Redundancy is only available to VPN peers that have static IP addresses and that
authenticate themselves to each other with preshared keys or digital certificates. It is not
available to VPN peers that have dynamically assigned IP addresses (dialup users). Nor is it
available to VPN peers that use manual keys.
Summary of Contents for FortiGate 3000
Page 18: ...Contents 18 01 28006 0010 20041105 Fortinet Inc ...
Page 52: ...52 01 28006 0010 20041105 Fortinet Inc Changing the FortiGate firmware System status ...
Page 78: ...78 01 28006 0010 20041105 Fortinet Inc FortiGate IPv6 support System network ...
Page 86: ...86 01 28006 0010 20041105 Fortinet Inc Dynamic IP System DHCP ...
Page 116: ...116 01 28006 0010 20041105 Fortinet Inc FortiManager System config ...
Page 122: ...122 01 28006 0010 20041105 Fortinet Inc Access profiles System administration ...
Page 252: ...252 01 28006 0010 20041105 Fortinet Inc CLI configuration Users and authentication ...
Page 390: ...390 01 28006 0010 20041105 Fortinet Inc Glossary ...
Page 398: ...398 01 28006 0010 20041105 Fortinet Inc Index ...