Fortinet 100 Network Card User Manual


 
IPSec VPN Configuring redundant IPSec VPN
FortiGate-100 Installation and Configuration Guide 203
See “Adding an encrypt policy” on page 197.
6 Arrange the policies in the following order:
outbound encrypt policies
inbound encrypt policy
default non-encrypt policy (Internal_All -> External_All)
Redundant IPSec VPNs
To ensure the continuous availability of an IPSec VPN tunnel, you can configure
multiple connections between the local the FortiGate unit and the remote VPN peer
(remote gateway). With a redundant configuration, if one connection fails the
FortiGate unit will establish a tunnel using the other connection.
Configuration depends on the number of connections that each VPN peer has to the
Internet. For example, if the local VPN peer has two connections to the Internet, then
it can provide two redundant connections to the remote VPN peer.
A single VPN peer can be configured with up to three redundant connections.
The VPN peers are not required to have a matching number of Internet connections.
For example, between two VPN peers, one can have multiple Internet connections
while the other has only one Internet connection. Of course, with an asymmetrical
configuration, the level redundancy will vary from one end of the VPN to the other.
Configuring redundant IPSec VPN
Prior to configuring the VPN, make sure that both FortiGate units have multiple
connections to the Internet. For each unit, first add multiple (two or more) external
interfaces. Then assign each interface to an external zone. Finally, add a route to the
Internet through each interface.
Action ENCRYPT
VPN Tunnel The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt
policies.)
Allow inbound Select allow inbound.
Allow outbound Do not enable.
Inbound NAT Select inbound NAT if required.
Outbound NAT Select outbound NAT if required.
Note: The default non-encrypt policy is required to allow the VPN spoke to access other
networks, such as the Internet.
Note: IPSec Redundancy is only available to VPN peers that have static IP addresses and that
authenticate themselves to each other with pre-shared keys or digital certificates. It is not
available to VPN peers that have dynamically assigned IP addresses (dialup users). Nor is it
available to VPN peers that use manual keys.