I have 200B Fortigate unit with 2 internet WAN connections.
I also have a remote site which I'm connected to via IPSEC VPN through WAN1. This site has only one GW IP address. I'd also like to setup a VPN ontop of WAN2 with that specific site as it's destination. The default route for my end is WAN1.
My problem is I cant figure out how to have both tunnels up at the same time. What's the best practice for achieving this?
Thanks
You need to configure two phase 1s (and two phase 2s), one for each WAN interface on your 200B. On the secondary/backup tunnel, configure
monitor
, as described in the Fortigate cookbook. Reasoning is also there... to summarize, this allows a tunnel to monitor another tunnel and bring itself up when the other tunnel goes down (dead peer detection must also be enabled). You might want to set themonitor-hold-delay
to something fairly high, to allow you to follow up with your primary ISP and make sure that primary connection isn't flapping. You can be alerted of the change by configuring email alerting, snmptrap monitoring, or use something like Gateway IP Monitor (I actually have all three configured).Also, consider your routing needs. Are both interfaces configured via DHCP or PPPoE (but with static addresses)? Do you have ECMP and static routes?
I want to also make the suggestion of creating DNS failover, if you have an internal DNS server. I've covered this in a blog post.
If you ever need to NAT your IPsec packets themselves (to an address other than that bound to the egress interface):
Sorry to include this extra bit of info, but I had a hell of a time figuring it out.