Allow BOVPN Failover (aka IKEv2 Multi-Peering) with Third Party Gateways
Fireboxes currently support BOPVPN failover between WG devices. This allows for multiple gateways to be configured in the phase 1 settings, so in the event of a gateway or ISP outage, the BOVPN can move to the next one in the list.
Unfortunately, this feature is only supported between WG devices, and not third party devices like Cisco ASA or Fortinet FortiGate's. I would love to see this feature add support for third party devices.
0
Sign In to comment.
Comments
Hi @Nathan
The issue with this is that the failover tech used by both Forti and Cisco are proprietary.
Adding multiple gateway pairs on both sides of the VPN with a reasonable SA life (an hour or so) will effectively create failover, it just won't go back to the top of the gateway endpoint list until the SA life expires. If you're looking to just get a VPN tunnel up on any ISP circuit, that should accomplish what you're looking for.
-James Carson
WatchGuard Customer Support
Hello James, is there a document describing that approach or could you elaborate a bit what you mean by "adding multiple gateway pairs on both sides"? Can I assign one tunnel to several gateways?
Define multiple gateway endpoints when creating your VPNs. The firewall will try them one at a time in order. If the first does not respond (e.g., the internet is down on that circuit) it will go on to the next one. When the SA expires, it will start this process over again.
See:
See:
(Configure Manual BOVPN Gateways)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/gateways_config_c.html
-James Carson
WatchGuard Customer Support