Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Fail-over Route-Based VPN Fortinet

    Posted 02-07-2014 14:27

    I have just built a route-based vpn to a remote site that is up and working. My side is a Netscreen 204, remote site is 

    Fortinet 60C.

     

    I want to create a secondary tunnel from my same Netscreen to a second backup site which will be the same kind of device, a F 60C.

     

    In reading these fora, I have seen two recommendations:

     

     "Configure two VPN's, one to first location, one to the other. If using static routes set pref or metric value higher to the tunnel int bound to backup VPN. Use VPN monitoring on the first (ajust vpnmonitor interval and threshold to reasonable value) . When primary VPN goes down, tunnel int goes down because of the monitoring. If outgoing interface goes down the prefered route goes inactive (don't use permanent option!), Second route (to your backup vpn's tunnel int) becomes active and voila!)

     

    Dead peer detection must be enabled for it to work."

     

    Will either VPN monitoring and DPD be an issue with Fortinet not having that? I don't know. Secondly I couldn't find any kb documents to clarify the "Howto". 


    #monitoring
    #deadpeerdetection
    #DPD
    #vpn
    #fortinet


  • 2.  RE: Fail-over Route-Based VPN Fortinet

    Posted 02-08-2014 03:58

    I use vpn monitor with a specified ip address instead of the default settings when the remote side is not a Juniper.  You select an ip address on the remote tunnel side that will respond to ping.  then configure this address.  

     

    When the ping is no longer present the tunnel routes are withdrawn from the table.

     

    When the tunnel comes back up ping is restored and the routes are active again.



  • 3.  RE: Fail-over Route-Based VPN Fortinet

    Posted 02-09-2014 12:26

    Ok, this is good news, mostly.

     

     



  • 4.  RE: Fail-over Route-Based VPN Fortinet

    Posted 02-09-2014 13:19

    It would be best to create another tunnel interface.  That way you don't have to configure nhtb which is required for tunnel interfaces that terminate multiple tunnels.  

     

    Also vpn monitor wants to bring the tunnel interface down while ping is not responding.  This is what removes the tunnel route from the table.



  • 5.  RE: Fail-over Route-Based VPN Fortinet

    Posted 02-09-2014 13:21

    And I guess for the VPN monitor to work, when you say, "You select an ip address on the remote tunnel side that will respond to ping.  then configure this address. " both IP addresses have to be addresses specified from the Proxy-id ranges?

     

    For example: 

    set vpn "PRIMARY" proxy-id local-ip 10.200.0.0/16 remote-ip 192.168.98.0/24 "ANY"

    so I would have to do something like: 

    set vpn "PRIMARY" monitor source-interface loopback.2 destination-ip 192.168.XXX.XXX

     rekey

     

    (I chose loopback.2, because I don't have an IP  from the range configured on the box, so I set a loopback from the range) 

     

    Or, can I just use gateway interfaces for the VPN monitor? Those are both interfaces that can ping each other.



  • 6.  RE: Fail-over Route-Based VPN Fortinet
    Best Answer

    Posted 02-09-2014 13:26

    Vpn monitor is sending a ping down the vpn tunnel.  so the address cannot be the remote gateway as that you route to over the internet.  The address has to be one you reach across the tunnel and will respond to ping.

     

    This function only generates the ping on the Juniper down the tunnel to the specified address, it does not do any reverse direction test.



  • 7.  RE: Fail-over Route-Based VPN Fortinet

    Posted 02-09-2014 14:19

    Thank you, I think I get it.