FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Redundant <strong>VPN</strong> configurations<br />
Configuration overview<br />
Redundant <strong>VPN</strong> configurations<br />
This section discusses the options for supporting redundant and partially<br />
redundant <strong>IPSec</strong> <strong>VPN</strong>s, using route-based approaches.<br />
The following topics are included in this section:<br />
• Configuration overview<br />
• General configuration steps<br />
• Configure the <strong>VPN</strong> peers - route-based <strong>VPN</strong><br />
• Redundant route-based <strong>VPN</strong> configuration example<br />
• Partially-redundant route-based <strong>VPN</strong> example<br />
• Creating a backup <strong>IPSec</strong> interface<br />
Configuration overview<br />
A <strong>FortiGate</strong> unit with two interfaces to the Internet can be configured to support<br />
redundant <strong>VPN</strong>s to the same remote peer. If the primary connection fails, the<br />
<strong>FortiGate</strong> unit can establish a <strong>VPN</strong> using the other connection.<br />
A fully-redundant configuration requires redundant connections to the Internet on<br />
both peers. Figure 16 on page 84 shows an example of this. This is useful to<br />
create a reliable connection between two <strong>FortiGate</strong> units with static IP addresses.<br />
When only one peer has redundant connections, the configuration is partiallyredundant.<br />
For an example of this, see “Partially-redundant route-based <strong>VPN</strong> example”<br />
on page 98. This is useful for to provide reliable service from a <strong>FortiGate</strong> unit with static IP<br />
addresses that accepts connections from dialup <strong>IPSec</strong> <strong>VPN</strong> clients.<br />
In a fully-redundant <strong>VPN</strong> configuration with two interfaces on each peer, four<br />
distinct paths are possible for <strong>VPN</strong> traffic from end to end. Each interface on a<br />
peer can <strong>com</strong>municate with both interfaces on the other peer. This ensures that a<br />
<strong>VPN</strong> will be available as long as each peer has one working connection to the<br />
Internet.<br />
You configure a <strong>VPN</strong> and an entry in the routing table for each of the four paths.<br />
All of these <strong>VPN</strong>s are ready to carry data. You set different routing distances for<br />
each route and only the shortest distance route is used. If this route fails, the route<br />
with the next shortest distance is used.<br />
The redundant configurations described in this chapter use route-based <strong>VPN</strong>s,<br />
otherwise known as virtual <strong>IPSec</strong> interfaces. This means that the <strong>FortiGate</strong> unit<br />
must operate in NAT/Route mode. You must use auto-keying. A <strong>VPN</strong> that is<br />
created using manual keys (see “Manual-key configurations” on page 111) cannot<br />
be included in a redundant-tunnel configuration.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
01-30005-0065-20070716 83