This article describes how to build a failover tunnel on the secondary WAN.
Scope
FortiGate.
In this scenario, the site-site IPSec tunnel has been created as described in this document: Basic site-to-site VPN with pre-shared key but the tunnel was still down.
Default routes were configured below:
config router static edit 1 set dst 0.0.0.0 0.0.0.0 set device wan1 set gateway <gateway_address> set distance 10 next edit 2 set dst 0.0.0.0 0.0.0.0 set device wan2 set gateway <gateway_address> set distance 20 next end
The distance of the wan2 route is 20. It is not active in the routing table hence IPSec tunnel is down.
To activate both routes in the routing table and still want wan2 as the secondary ISP, keep the distance the same and assign a higher priority number.
Configure the wan2 default route :
config router static edit 2 set dst 0.0.0.0 0.0.0.0 set device wan2 set gateway <gateway_address> set distance 10 set priority 10 next end
Note: The default priority of an interface is 1. The lower the priority number, the higher the preference.