Filter
Top Products
204 Fortinet Inc.
Configuring redundant IPSec VPN IPSec VPN
Configure the two FortiGate units with symmetrical settings for their connections to the
Internet. For example, if the remote FortiGate unit has two external interfaces grouped
within one zone, then the local FortiGate unit should have two external interfaces
grouped within one zone.
Similarly, if the remote FortiGate has two external interfaces in separate zones, then
the local FortiGate unit should have two external interfaces in separate zones.
Configuration is made simpler if all external interfaces are grouped within a single
zone, rather than multiple zones. However, this may not always be possible due to
security considerations or other reasons.
After you have defined the Internet connections for both FortiGate units, you can
proceed to configure the VPN tunnel.
To configure IPSec redundancy:
1 Add the phase 1 parameters for up to three VPN connections.
Enter identical values for each VPN connection, with the exception of the Gateway
Name and IP Address. Make sure that the remote VPN peer (Remote Gateway) has a
static IP address.
See “Adding a phase 1 configuration for an AutoIKE VPN” on page 185.
2 Add the phase 2 parameters (VPN tunnel) for up to three VPN connections.
• If the Internet connections are in the same zone, add one VPN tunnel and add the
remote gateways to it. You can add up to three remote gateways.
• If the Internet connections are in separate zones or assigned to unique interfaces,
add a VPN tunnel for each remote gateway entered.
See “Adding a phase 2 configuration for an AutoIKE VPN” on page 189.
3 Add the source and destination addresses.
See “Adding a source address” on page 197.
See “Adding a destination address” on page 197.
4 Add encrypt policies for up to three VPN connections.
• If the VPN connections are in the same zone, add one outgoing encrypt policy; for
example an Internal->External policy. Add the AutoIKE key tunnel to this policy.
• If the VPN connections are in different zones, add a separate outgoing encrypt
policy for each connection; for example, an Internal->External and an Internal-
>DMZ policy. The source and destination of both policies must be the same. Add a
different AutoIKE key tunnel to each policy.
See “Adding an encrypt policy” on page 197.