Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Icaro_IT
Explorer

Redundancy VPN S2S

Good morning

I would like a suggestion on how to perform site-to-site VPN redundancy between a checkpoint and fortigate. Both sides have two ISP links, and both must communicate cross-formation in case of failure of the main ISP

Example image attached

 

0 Kudos
7 Replies
starmen2000
Collaborator
Collaborator

I am interested in this topic too.

0 Kudos
the_rock
Legend
Legend

I will ask one of my colleagues about Fortigate part, but I can tell you this about CP part. Even if you have ISP redundancy enabled, primary isp link failure will NOT automatically guarantee that VPN tunnel will simply continue to work, as Fortigate would never be aware of new IP address.

Andy

0 Kudos
Icaro_IT
Explorer

both sides know the IP of both ISP

0 Kudos
the_rock
Legend
Legend

If both ends know about the IPs of both links, then I dont see why it would not work, since in that case, if there is ever a failure, 2nd link would be able to establish a tunnel.

Andy

0 Kudos
Icaro_IT
Explorer

right, but what is the best way to do this at the checkpoint? based on static route, mode redundancy probe (CP feature), BGP... or just add a start community with two satellites referencing the fortigate side

0 Kudos
the_rock
Legend
Legend

There way smarter people than I on this forum, so Im sure they will chime in, but logically, I would say 2 satellites for FGT end. Not sure BGP would really make much difference here, as you are not doing say xpress route/VPN failover with Azure (just an example)

Andy

0 Kudos
CheckPointerXL
Advisor
Advisor

Route based with static route+priority+ping reachability or bgp+ smaller/bigger announcement (for example announce 192.168.0.0/24 for backup link and announce 192.168.0.0/25 and 192.168.0.128/25 for primary link). Other tips for bgp could be MED or AS-PATH-Prepend.

You can configure two communities or one with two FGT satellites.

Make sure ISP redundancy is applied for vpn too

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events