Fortinet fortigate-200a Betriebsanweisung
VPN
Redundant IPSec VPNs
FortiGate-200A Administration Guide
01-28006-0072-20041105
289
See
6
Arrange the policies in the following order:
• outbound encrypt policies
• inbound encrypt policy
• default non-encrypt policy (Internal_All -> External_All)
• inbound encrypt policy
• default non-encrypt policy (Internal_All -> External_All)
Redundant IPSec VPNs
To ensure the continuous availability of an IPSec VPN tunnel, you can configure
multiple connections between the local FortiGate unit and the remote VPN peer
(remote gateway). With a redundant configuration, if one connection fails, the
FortiGate unit establishes a tunnel using the other connection.
multiple connections between the local FortiGate unit and the remote VPN peer
(remote gateway). With a redundant configuration, if one connection fails, the
FortiGate unit establishes a tunnel using the other connection.
The configuration depends on the number of connections that each VPN peer has to
the Internet. For example, if the local VPN peer has two connections to the Internet,
then it can provide one redundant connection to the remote VPN peer.
the Internet. For example, if the local VPN peer has two connections to the Internet,
then it can provide one redundant connection to the remote VPN peer.
A single VPN peer can be configured with up to three redundant connections.
The VPN peers are not required to have a matching number of Internet connections.
For example, between two VPN peers, one peer can have multiple Internet
connections while the other has only one Internet connection. In the case of an
asymmetrical configuration, the level of redundancy varies from one end of the VPN to
the other.
For example, between two VPN peers, one peer can have multiple Internet
connections while the other has only one Internet connection. In the case of an
asymmetrical configuration, the level of redundancy varies from one end of the VPN to
the other.
Configuring redundant IPSec VPNs
For each FortiGate unit, first add multiple (two or more) external interfaces. Then
assign each interface to an external zone. Finally, add a route to the Internet through
each interface.
assign each interface to an external zone. Finally, add a route to the Internet through
each interface.
Source
The local VPN spoke address.
Destination
External_All
Action
ENCRYPT
VPN Tunnel
The VPN tunnel name added in step
. (Use the same tunnel for all encrypt
policies.)
Allow inbound Select allow inbound.
Allow outbound Do not enable.
Inbound NAT
Allow outbound Do not enable.
Inbound NAT
Select inbound NAT if required.
Outbound NAT Select outbound NAT if required.
Note: The default non-encrypt policy is required to allow the VPN spoke to access other
networks, such as the Internet.
networks, such as the Internet.
Note: IPSec Redundancy is only available to VPN peers that have static IP addresses and that
authenticate themselves to each other with preshared keys or digital certificates. It is not
available to VPN peers that have dynamically assigned IP addresses (dialup users). Nor is it
available to VPN peers that use manual keys.
authenticate themselves to each other with preshared keys or digital certificates. It is not
available to VPN peers that have dynamically assigned IP addresses (dialup users). Nor is it
available to VPN peers that use manual keys.