Options

Allow BOVPN Failover (aka IKEv2 Multi-Peering) with Third Party Gateways

Fireboxes currently support BOPVPN failover between WG devices. This allows for multiple gateways to be configured in the phase 1 settings, so in the event of a gateway or ISP outage, the BOVPN can move to the next one in the list.

Unfortunately, this feature is only supported between WG devices, and not third party devices like Cisco ASA or Fortinet FortiGate's. I would love to see this feature add support for third party devices.

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/vpn_failover_about_c.html

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Nathan
    The issue with this is that the failover tech used by both Forti and Cisco are proprietary.

    Adding multiple gateway pairs on both sides of the VPN with a reasonable SA life (an hour or so) will effectively create failover, it just won't go back to the top of the gateway endpoint list until the SA life expires. If you're looking to just get a VPN tunnel up on any ISP circuit, that should accomplish what you're looking for.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.