Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
0
Helpful
3
Replies

Tunnel to VPN Concentrator 3000 with redundant connectivity from 2 IPs

mamsupport
Level 1
Level 1

‎10-07-2005 08:29 AM

I am using a IPSec LAN-to-LAN tunnel from a single source computer behind a Fortinet firewall to a single computer behind a VPN Concentrator 3000 (which is behind a PIX firewall).

The Fortinet device has 2 external IPs from which it can connect. The Concentrator/PIX has only 1 external IP to which connections can be made.

I want to be able alternatively establish the tunnel between the Fortinet and the Concentrator from either of the 2 external IPs on the Fortinet.

I know how to setup the Fortinet to allow this. However, I do not know what to do in the Concentrator to allow for potentially multiple incoming peer IP addresses. Can anyone help?

Is it possible to create a single IPSec LAN-to-LAN connection which has multiple peer IP addresses? Or, would I have to create two similar IPSec LAN-to-LAN connections, each with a different peer IP address?

Thanks for your consideration.

Allan

Labels:
0 Helpful
3 Replies 3

jackko
Level 7
Level 7

‎10-07-2005 11:46 PM

configuration > tunneling and security > ipsec > lan-to-lan.

when you configure a lan-lan, the 5th parameter is "peers". you can put both fortinet public ip there.

according to cisco:

In a backup LAN-to-LAN setup, the remote peer always initiates the connection. It tries to connect to the first VPN Concentrator on its peer list. If that VPN Concentrator is unavailable, then it tries to connect to the second peer on the list. It continues in this way until it connects to one of the peers on the list.

0 Helpful

mamsupport
Level 1
Level 1
In response to jackko

‎10-08-2005 12:50 PM

Thanks for your reply.

I guess one of the main issues for me is that I want the Fortigate firewall to be the one to initiate the connection from one of its public IPs to the Concentrator, not the other way around. The Concentrator only seems to allow multiple peers (as you describe above) when it is in Originate-Only mode, not Bi-Directional or Answer-Only.

Any further help would be appreciated.

Best regards,

Allan

0 Helpful

jackko
Level 7
Level 7
In response to mamsupport

‎10-08-2005 07:10 PM

in that case, ezvpn seems to be the way. however, i'm too sure whether fortigate can be configured as a vpn hareware client or not.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents