IPSec VPN

Redundant IPSec VPNs

 

 

Action

ENCRYPT

VPN Tunnel

The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt

 

policies.)

Allow inbound

Select allow inbound.

Allow outbound Do not enable.

Inbound NAT

Select inbound NAT if required.

Outbound NAT

Select outbound NAT if required.

See “Adding an encrypt policy” on page 247.

6Arrange the policies in the following order:

outbound encrypt policies

inbound encrypt policy

default non-encrypt policy (Internal_All -> External_All)

Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks, such as the Internet.

Redundant IPSec VPNs

To ensure the continuous availability of an IPSec VPN tunnel, you can configure multiple connections between the local FortiGate unit and the remote VPN peer (remote gateway). With a redundant configuration, if one connection fails the FortiGate unit establishes a tunnel using the other connection.

The configuration depends on the number of connections that each VPN peer has to the Internet. For example, if the local VPN peer has two connections to the Internet, then it can provide two redundant connections to the remote VPN peer.

A single VPN peer can be configured with up to three redundant connections.

The VPN peers are not required to have a matching number of Internet connections. For example, between two VPN peers, one peer can have multiple Internet connections while the other has only one Internet connection. In the case of an asymmetrical configuration, the level of redundancy varies from one end of the VPN to the other.

Note: IPSec Redundancy is only available to VPN peers that have static IP addresses and that authenticate themselves to each other with pre-shared keys or digital certificates. It is not available to VPN peers that have dynamically assigned IP addresses (dialup users). Nor is it available to VPN peers that use manual keys.

FortiGate-800 Installation and Configuration Guide

253

Page 253
Image 253
Fortinet FortiGate-800 manual Redundant IPSec VPNs, 253