IPSec VPN | Redundant IPSec VPNs |
|
|
Action | ENCRYPT |
VPN Tunnel | The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt |
| policies.) |
Allow inbound | Select allow inbound. |
Allow outbound Do not enable. | |
Inbound NAT | Select inbound NAT if required. |
Outbound NAT | Select outbound NAT if required. |
See “Adding an encrypt policy” on page 225.
6Arrange the policies in the following order:
•outbound encrypt policies
•inbound encrypt policy
•default
Note: The default
Redundant IPSec VPNs
To ensure the continuous availability of an IPSec VPN tunnel, you can configure multiple connections between the local the FortiGate unit and the remote VPN peer (remote gateway). With a redundant configuration, if one connection fails the FortiGate unit will establish a tunnel using the other connection.
Configuration depends on the number of connections that each VPN peer has to the Internet. For example, if the local VPN peer has two connections to the Internet, then it can provide two redundant connections to the remote VPN peer.
A single VPN peer can be configured with up to three redundant connections.
The VPN peers are not required to have a matching number of Internet connections. For example, between two VPN peers, one can have multiple Internet connections while the other has only one Internet connection. Of course, with an asymmetrical configuration, the level redundancy will vary from one end of the VPN to the other.
Note: IPSec Redundancy is only available to VPN peers that have static IP addresses and that authenticate themselves to each other with
Configuring redundant IPSec VPN
Prior to configuring the VPN, make sure that both FortiGate units have multiple connections to the Internet. For each unit, first add multiple (two or more) external interfaces. Then assign each interface to an external zone. Finally, add a route to the Internet through each interface.
231 |
