Per packet distribution and tunnel aggregation
This is a sample configuration of aggregating IPsec tunnels by using per-packet load-balancing.
This feature only allows static and DDNS tunnels to be members. Dynamic (dialup) tunnels are not allowed because dialup instances tend to have different locations and hence different routing. This conflicts with the rule that all the members of an aggregate must have the same routing. |
For example, a customer has two ISP connections, wan1 and wan2. On each FortiGate, two IPsec VPN interfaces are created. Next, an ipsec-aggregate
interface is created and added as an SD-WAN member.
Configuring FortiGate 1
To create two IPsec VPN interfaces:
config vpn ipsec phase1-interface edit "vd1-p1" set interface "wan1" set peertype any set net-device disable set aggregate-member enable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.201.2 set psksecret ftnt1234 next edit "vd1-p2" set interface "wan2" set peertype any set net-device disable set aggregate-member enable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.202.2 set psksecret ftnt1234 next end
config vpn ipsec phase2-interface edit "vd1-p1" set phase1name "vd1-p1" next edit "vd1-p2" set phase1name "vd1-p2" next end
To create an IPsec aggregate interface:
config system ipsec-aggregate edit "agg1" set member "vd1-p1" "vd1-p2" set algorithm L3 next end
config system interface edit "agg1" set vdom "root" set ip 172.16.11.1 255.255.255.255 set allowaccess ping set remote-ip 172.16.11.2 255.255.255.255 end
To configure the firewall policy:
config firewall policy edit 1 set name "1" set srcintf "dmz" set dstintf ""virtual-wan-link"" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
To configure SD-WAN:
config system sdwan set status enable config members edit 1 set interface "agg1" set gateway 172.16.11.2 next end end
Configuring FortiGate 2
To create two IPsec VPN interfaces:
config vpn ipsec phase1-interface edit "vd2-p1" set interface "wan1" set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.200.1 set psksecret ftnt1234 next edit "vd2-p2" set interface "wan2" set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.203.1 set psksecret ftnt1234 next end
config vpn ipsec phase2-interface edit "vd2-p1" set phase1name "vd2-p1" next edit "vd2-p2" set phase1name "vd2-p2" next end
To create an IPsec aggregate interface:
config system ipsec-aggregate edit "agg2" set member "vd2-p1" "vd2-p2" set algorithm L3 next end
config system interface edit "agg2" set vdom "root" set ip 172.16.11.2 255.255.255.255 set allowaccess ping set remote-ip 172.16.11.1 255.255.255.255 next end
To configure the firewall policy:
config firewall policy edit 1 set name "1" set srcintf "dmz" set dstintf ""virtual-wan-link"" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
To configure SD-WAN on FortiGate 2:
config system sdwan set status enable config members edit 1 set interface "agg2" set gateway 172.16.11.1 next end end
Related diagnose commands
To display aggregate IPsec members:
# diagnose sys ipsec-aggregate list agg1 algo=L3 member=2 run_tally=2 members: vd1-p1 vd1-p2
To check the VPN status:
# diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=vd1-p1 ver=1 serial=2 172.16.200.1:0->172.16.201.2:0 dst_mtu=0 bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=1 accept_traffic=0 proxyid_num=1 child_num=0 refcnt=5 ilast=15 olast=676 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=vd1-p1 proto=0 sa=0 ref=1 serial=1 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 ------------------------------------------------------ name=vd1-p2 ver=1 serial=3 172.16.203.1:0->172.16.202.2:0 dst_mtu=1500 bound_if=28 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=1 accept_traffic=1 proxyid_num=1 child_num=0 refcnt=12 ilast=1 olast=1 ad=/0 stat: rxp=1 txp=1686 rxb=16602 txb=111717 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=vd1-p2 proto=0 sa=1 ref=9 serial=1 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=4 options=10226 type=00 soft=0 mtu=1438 expire=42164/0B replaywin=2048 seqno=697 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 life: type=01 bytes=0/0 timeout=42902/43200 dec: spi=f6ae9f83 esp=aes key=16 f6855c72295e3c5c49646530e6b96002 ah=sha1 key=20 f983430d6c161d0a4cd9007c7ae057f1ff011334 enc: spi=8c72ba1a esp=aes key=16 6330f8c532a6ca5c5765f6a9a6034427 ah=sha1 key=20 e5fe385ed5f0f6a33f1d507601b15743a8c70187 dec:pkts/bytes=1/16536, enc:pkts/bytes=1686/223872 npu_flag=02 npu_rgwy=172.16.202.2 npu_lgwy=172.16.203.1 npu_selid=2 dec_npuid=1 enc_npuid=0