Redundant VPN with Fortinet using Policy based vpn or vti?

Hi Team,

I am planning to build tunnels between vyos 1.2.8 and Fortinet. However wondering and if anyone has experience about redundant tunnel between FG and VYOS. Which one should I approach? Policy based or VTI based?
On my vyos router I have two ISP links while FG being in cloud has only one internet link. I am planning to build two tunnels going out to FG.
I guess using vti based and running BGP/ECMP I can utilize both my internet links and with policy based not sure if I can achieve failover tunnel using DPD?

Please let me know.

Hi @blason,

You’re right, it’s better to use VTI and BGP/ECMP.
And it’s better to choose IKEv2 for IPsec.

Thanks!! Again not sure if FG supports VTI & BGP/ECMP?

afaik, on fortigate, you can specify 0.0.0.0/0 as ipsec policy, which resembles vti
On fortigate, enable asymmetric routing. (allows request received on one tunnel sent back on other tunnel)
other issue: you need some policy based routing rules on VyOS, so encrypted (tunneled) packets having source IP=WAN1 are sent out on WAN1 , and those having source IP=WAN2 are sent out on WAN2

Why would outbound IP should take WAN1 and WAN2 IP addresses if I don’t masquerade it. I believe once the tunnels are up and have exchanged BGP routes its pretty simple then, is it not?
Though I am not aware from Fortinet end.

encrypted traffic gets new ipv4 header, with remote IPSEC peer as destination address and either WAN1-IP or WAN2-IP as source.
Then default route table will be used to determine how to send out this packet. So you can end up sending spoofed traffic. (Packets going out on WAN1 having WAN2 source IP or vice versa)

Route-based VPNs support the exchange of dynamic routing information through VPN tunnels. You can enable an instance of a dynamic routing protocol, such as OSPF, on an st0 interface that is bound to a VPN tunnel. The exchange of dynamic routing information is not supported in policy-based VPNs.

NomNom