Site-to-Site VPN not working after making a change to public routing

Good morning everyone,

This weekend we made a change to consolidate our external edge router that connects to our ISP’s for public BGP routing in to the 200F FortiGate that we have.

That was all fine and it worked. Before all this all the public connectivity entered on the PUBLIC interface but now we have two InterConnect interfaces which are VLAN interfaces which directly connect to our ISP with BGP for announcing our prefixes and getting a default route back.

Since that change all of the VPN’s that I already had migrated to the Forti were considered UP and diagnostics showed traffic going both ways. However the connection from end-to-end never seemed to work.

What eventually did work was changing the interface which was previously on the PUBLIC interface to one of the two IC interfaces. The downside to this that we have had to change the public IP for the VPN connection on which the outside customers can reach us. And this IP includes the one that is on the IC interface provided by our ISP to which we connect.

Has any of you encountered this issue or situation? Is it possible to use one of my own IP’s in the VPN connection and have the VPN connection not be depended on being on one of the IC interfaces but be available when one of those fails?

Edit: Creating a loopback interface with an IP that is not used on one of the others subnets did the trick. I have now created a new site to site with this method

Terminate your IPSEC VPN tunnels on a loopback interface, and advertise that IP over BGP towards the internet.

“What eventually did work was changing the interface which was previously on the PUBLIC interface to one of the two IC interfaces.”

This would be a given - you can’t terminate IPSec traffic to an interface which does not have the IP overlay attached to it.

“The downside to this that we have had to change the public IP for the VPN connection on which the outside customers can reach us”

If the IP changed between the old public interface and the new VLAN interface(s), then yes this would also be a given.

“Has any of you encountered this issue or situation?”

This is normal and completed expected - it should have been catered for in your change control. You can use any IP address that is assigned or routed to an interface.

“have the VPN connection not be depended on being on one of the IC interfaces but be available when one of those fails?”

No, use redundant tunnels and suitable routing to cater for link failure.

I had this sort of issue with a customer. They have two routers for BGP with two different subnet for two different BGP neighbours, but advertising the same public IP subnet.

I created a loopback interface with a specific IP in the subnet, and terminated all VPNs on that interface. Now they are no longer dedicated to a BGP interface.