What is the best way to achieve HA VPN with FG? 2 tunnels or 4 tunnels?

Hi Team,

At one side I have FG with two ISP, lets say ISPFGA and ISPFGB and other side I have vyos with two ISPs → ISPVYA and ISPVYB.

Now I wanted to configure the failover VPN so that hosts behind FG can communicate with hosts behind vyos. In this case is it advisable to configure 2 Tunnels or 4 tunnels?
Scenario 1 :

Scenario 2

Hi, I would configure scanario 2 so your environment can survive an outage of one ISP/router on each side at the same time.

Thanks and how do I achieve failover? VTI tunnels with dynamic routing like BGP or OSPF?

I have configured 4 WireGuard tunnels between my two routers on each side and use OSPF for dynamic routing. I haven’t dealt with BGP yet so I can’t tell what’s better but OSPF is doing its job quite well. :slight_smile:

How many such devices or sites you have?I guess managing small number of sites or locations with this setup will be ok but as the devices or sites grows, seems it will be difficult to manage?

I have only two sites with each one having two VPN routers. I guess if you have a couple of sites maybe a hub and spoke topology could be an option instead of a full mesh.

Do you mean implement something like DMVPN?

Haven’t dealt with DMVPN yet. Since I only have two sites I can’t make a good recommendation for a HA topology when you have a couple of sites. I was mentioning a hub-and-spoke topology as this is also a common setup when you e.g. have a couple of branch offices connected to the head office.

Maybe someone from the community can recommend a good setup based on their practical experience.

1 Like