I have cloud entity and need to create a primary IPsec VPN and a secondary IPsec VPN to an onprem.
I know how to create the VPNs, and they already exist. I’m a bit confused about how to automate the failover to vpn2 when vpn1 goes down. Any help would be appreciated. Thanks.
The simplest way to set up a failover from the FortiGate side is to use the “monitor” command within the phase1 vpn configuration. Here’s a kb article that explains it.
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD40423
Easiest way would be to create both VPNs and set the static route for the second one to have a higher distance.
Depending on your firmware version and if you have SDWan setup, I would use that. Otherwise I would setup zones for the VPN interfaces and OSPF to share routes, detect link failure, and failover.
There’s no true primary/secondary setup with SDWan as the secondary will always get some traffic. I was not ok with that and our environment was simple enough for me to simply just prioritize one static route over another on both ends of the VPN, and use link monitor (to several public IP like Google/CloudFlare) to detect failures.
Please check if this KB suits your requirement.
This is how I do it. I set my DPD timeout settings so that a VoIP call only sees 10 seconds of dead time then continues. Telnet sessions pause but are not terminated.
SDWan doesn’t seem like the right way to do this. Connectivity to Google DNS or Amazon AWS does not prove connectivity to the peer. Ping Google will not show me when someone powers off the peer modem. IPSec DPD already has everything it needs to determine connectivity to the peer.
To be truly fail over both peers must have dual ISP.
You can configure SD-WAN so the secondary gets no traffic.