Fortinet black logo

Cookbook

Represent multiple IPsec tunnels as a single interface

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:803478
Download PDF

Represent multiple IPsec tunnels as a single interface

Use this function to create a static aggregate interface using IPsec tunnels as members, with traffic load balanced between the members. You can assign an IP address to the aggregate interface, dynamic routing can run on the interface, and the interface can be a member interface in SD-WAN.

The supported load balancing algorithms are: L3, L4, round-robin (default), and redundant.

To configure multiple IPsec tunnels as a single interface :
  1. Create a site to site VPN phase1 interface with net-device disabled:
    config vpn ipsec phase1-interface
        edit tunnel1
            set interface port1
            set net-device disable
            set remote-gw 172.16.100.1
            set psksecret sample
        next
        edit tunnel2
            set interface port2
            set net-device disable
            set remote-gw 172.31.1.1
            set psksecret sample
        next
    end
  2. Configure IPsec aggregation:
    config system ipsec-aggregate
        edit agg1
            set member tunnel1 tunnel2
        next
    end
  3. Configure a firewall policy:
    config firewall policy
        edit 0
            set srcaddr all
            set srcintf port10
            set dstaddr all
            set dstintf agg1
            set schedule always
            set action accept
            set service ALL
        next
    end 
  4. Configure a static route:
    config router static
        edit 0
            set device agg1
        next
    end
    
To debug the IPsec aggregation list:
#diagnose sys ipsec-aggregate list
    agg1 algo=RR member=2 run_tally=2
    members:
        tunnel1
        tunnel2

Represent multiple IPsec tunnels as a single interface

Use this function to create a static aggregate interface using IPsec tunnels as members, with traffic load balanced between the members. You can assign an IP address to the aggregate interface, dynamic routing can run on the interface, and the interface can be a member interface in SD-WAN.

The supported load balancing algorithms are: L3, L4, round-robin (default), and redundant.

To configure multiple IPsec tunnels as a single interface :
  1. Create a site to site VPN phase1 interface with net-device disabled:
    config vpn ipsec phase1-interface
        edit tunnel1
            set interface port1
            set net-device disable
            set remote-gw 172.16.100.1
            set psksecret sample
        next
        edit tunnel2
            set interface port2
            set net-device disable
            set remote-gw 172.31.1.1
            set psksecret sample
        next
    end
  2. Configure IPsec aggregation:
    config system ipsec-aggregate
        edit agg1
            set member tunnel1 tunnel2
        next
    end
  3. Configure a firewall policy:
    config firewall policy
        edit 0
            set srcaddr all
            set srcintf port10
            set dstaddr all
            set dstintf agg1
            set schedule always
            set action accept
            set service ALL
        next
    end 
  4. Configure a static route:
    config router static
        edit 0
            set device agg1
        next
    end
    
To debug the IPsec aggregation list:
#diagnose sys ipsec-aggregate list
    agg1 algo=RR member=2 run_tally=2
    members:
        tunnel1
        tunnel2