Represent Multiple IPsec Tunnels as a Single Interface
With this feature, you can create a static aggregate interface using IPsec tunnels as members, with traffic load balanced between the members. An IP address can be assigned to the aggregate interface, dynamic routing can run on the interface, and the interface can be a member interface in SD-WAN.
The supported load balancing algorithms are: L3, L4, round-robin (default), and redundant.
- Create a site to site VPN phase1 interface with net-device disabled:
config vpn ipsec phase1-interface edit tunnel1 set interface port1 set net-device disable set remote-ge 172.16.100.1 set psksecret sample next edit tunnel2 set interface port2 set net-device disable set remote-ge 172.31.1.1 set psksecret sample next end
- Configure IPsec aggregation:
config system ipsec-aggregate edit agg1 set member tunnel1 tunnel2 next end
- Configure a firewall policy:
config firewall policy edit 0 set srcaddr all set srcintf port10 set dstaddr all set dstintf agg1 set schedule always set action accept set service ALL next end
- Configure a static route:
config router static edit 0 set device agg1 next end
To debug the IPsec aggregation list:
#diagnose sys ipsec-aggregate list agg1 algo=RR member=2 run_tally=2 members: tunnel1 tunnel2