A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes. All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover. Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two answers)

A. In the phase1-interface, enable npu-offload to detect a dead tunnel.
B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
C. Enable Dead Peer Detection.
D. Use the VPN wizard to create an IPsec template for a redundant IPsec VPN tunnel.

Correct Answer: B,C

Brave-Dump Clients Votes

BC 100%

Comments

Roberto Kevin Conopuma Damián 2025-10-22 10:00:32

Selected Answers: B, C

"First, create one phase 1 for each path—one phase 1 for the primary VPN and one for the backup VPN. You
should also enable DPD on both ends.
Second, create at least one phase 2 definition for each phase 1.
Third, you must add at least one static route for each VPN. Routes for the primary VPN must have a lower
distance (or lower priority) than the backup. This causes FortiGate to use the primary VPN while it’s available.
If the primary VPN fails, then FortiGate automatically uses the backup route. Alternatively, you could use a
dynamic routing protocol, such as OSPF or BGP" Study Guide Pag 396