Fortinet FortiGate Dual VPN setup

Before You Start

Overview

This article illustrates a Dual VPN setup and explains how to connect the secondary tunnel from your environment to the second Ecosystem which can act as a backup in case of failure of the Primary ISP or Ecosystem. With this setup, when the first tunnel is down, the traffic will automatically start going through the second tunnel to the backup Ecosystem.

Prerequisites

FortiGate installation
Ecosystem set up with proper security policies

How-To

Create Gateway for IPsec

Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

Name: IPsec connection name must meet the same requirements as the Strongswan connection name (letters and numbers only).
Category: IoT
Type: IPsec
Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted).
Local Networks: any local network addresses that will be routed through this gateway.

Info

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

Task 1: Read IPsec Gateway Values Required for FortiGate Configuration

To proceed with the FortiGate configuration, you will need a few values from an existing committed Acreto Gateway:

Gateway Address
Pre-Shared Key
Recommended Ciphers

All of these may be found within the Gateway details panel - view the below animation for further instruction.

Animation how to get required values from Gateway [▶]

Task 2. Configure Primary Tunnel on FortiGate with Acreto Primary EcoSystem

In FortiGate, go to VPN > IPsec Tunnels. From Create New drop-down menu, select IPsec Tunnel
In the next window, give the primary tunnel name and click on Custom and click on Next.
Configure the following VPN settings:
1. IP Version: IPv4
2. Remote Gateway: Static IP Address
3. IP Address: Primary EcoSystem Gateway
4. Interface: Select WAN Interface
5. Mode Config: Enable
6. DPD Retry interval: 30
Expand Advance Option and configure as below:
1. Add Route: Disabled
2. Authentication Method: Pre-shared Key
3. Pre-shared Key: enter the pre-shared key
4. IKE Version: 2
In Phase1 Proposal. Delete all proposals except two as below:
1. Encryption: AES 128 Authentication: SHA256
2. Encryption: AES 128 Authentication: SHA512
3. DH Group: 15 , 14, 2
4. Key Lifetime: 10800
5. Local ID: enter the peer id
In Phase2 setting, please enter below:
1. Encryption: AES 128 Authentication: SHA256
2. Encryption: AES 128 Authentication: SHA512
3. PFS: Enable
4. DH Group: 15 , 14, 2
5. Auto Keep Alive: Enable
Click OK to save the VPN setting.

Task 3. Configure Secondary Tunnel on FortiGate with Acreto Secondary EcoSystem

Repeat the above steps for the creation of a secondary tunnel. We will use Acreto-ECO-2 as the name of a secondary tunnel in this article.

Task 4. Configure IPs on Tunnel Interfaces

This step is required for policy routing to work. Any dummy/unused IPs can be used for interfaces.

Go to Network > Interfaces. Select Acreto-ECO-1 Tunnel interface and click on Edit
Configure IP as below:
1. IP: 169.254.254.1
2. Remote IP: 169.254.254.2/32
Click on Save
Repeat the step to configure IP on the secondary tunnel interface.
Go to Network > Interfaces. Select Acreto-ECO-2 Tunnel interface and click on Edit.
Configure IP as below:
1. IP: 169.254.254.3
2. Remote IP: 169.254.254.4/32
Click on Save.

Task 5. Configure Routing for VPN Traffic

Go to Network > Static Route. Click on Create New.
In the next window, configure the static route as below:
1. Destination: 0.0.0.0/0
2. Interface: Acreto-ECO-1 (Acreato-primary-tunnel)
3. Administrative Distance: 30
Click on Save
Repeat the step to configure a static route for the secondary tunnel.
Go to Network > Static Route. Click on Create New.
In the next window, configure the static route as below:
1. Destination: 0.0.0.0/0
2. Interface: Acreto-ECO-2 (Acreato-secondary-tunnel)
3. Administrative Distance: 30
Click on Save

Task 6. Configure Policy Route on FortiGate for Traffic from LAN to Acreto.

To configure the policy route, Go to Network > Policy Route. Click on Create New.
In the next window, configure policy route setting as below:
1. Incoming Interface: Select LAN interface
2. Source - IP/Netmask: 192.168.253.0/24 (LAN Network)
3. Destination - IP/Netmask: 0.0.0.0/0
4. Outgoing Interface: Acreto-ECO-1 (Primary Tunnel)
5. Gateway Address: 169.254.254.2 (Remote IP for primary tunnel interface)
Click on save.
Repeat the step to configure the policy route for the secondary tunnel.
Go to Network > Policy Route. Click on Create New.
In the next window, configure policy route setting as below:
1. Incoming Interface: Select LAN interface
2. Source - IP/Netmask: 192.168.253.0/24 (LAN Network)
3. Destination - IP/Netmask: 0.0.0.0/0
4. Outgoing Interface: Acreto-ECO-2 (secondary Tunnel)
5. Gateway Address: 169.254.254.4 (Remote IP for secondary tunnel interface)
Click on Save.

Task 7. Configure Firewall Policies to Allow the Traffic.

Go to Policy & Objects > Firewall Policy. Click on Create New.
In the next window, configure the policy setting as below for primary VPN.
1. Name: Give a name to the primary policy
2. Incoming Interface: LAN
3. Outgoing Interface: Acreto-ECO-1 (Primary Tunnel Interface)
4. Source: LAN Address
5. Destination: all
6. Schedule: Always
7. Service: All
8. Action: Accept
9. NAT: Disable
10. Protocol Option: default
11. SSL Inspection: no-inspection
12. Logging: As needed
Click on Save.
Repeat the step to create a firewall policy to allow traffic on secondary VPN.
Go to Policy & Objects > Firewall Policy. Click on Create New.
1. Name: Give a name to the secondary policy
2. Incoming Interface: LAN
3. Outgoing Interface: Acreto-ECO-2 (Secondary Tunnel Interface)
4. Source: LAN Address
5. Destination: all
6. Schedule: Always
7. Service: All
8. Action: Accept
9. NAT: Disable
10. Protocol Option: default
11. SSL Inspection: no-inspection
12. Logging: As needed
Click on Save.

Task 8. Check the status of the VPN.

Go to Dashboard > Network > IPsec.
If the tunnel is showing down. Select the tunnel and click on Bring UP
Primary and secondary VPN selection is handled by Policy Route.

Traffic will be matched with the policy on top if both tunnels are up.

Summary

After this setup, there are two tunnels created from FortiGate to Acreto Primary and Secondary Ecosystem through Primary and Secondary tunnel respectively. If the primary tunnel goes down, all traffic will start going from the backup tunnel, which in this case is the Secondary tunnel.