This is a sample configuration of a multiple site-to-site IPsec VPN that uses an IPsec aggregate interface to set up redundancy and traffic load-balancing. The VPN tunnel interfaces must have net-device disabled in order to be members of the IPsec aggregate.
Each FortiGate has two WAN interfaces connected to different ISPs. OSPF runs over the IPsec aggregate in this configuration.
The supported load balancing algorithms are: L3, L4, round-robin (default), weighted round-robin, and redundant. The first four options allow traffic to be load-balanced, while the last option (redundant) uses the first tunnel that is up for all traffic.
Dynamic routing can run on the aggregate interface, and it can be a member interface in SD-WAN (not shown in this configuration).
Configuring the HQ1 FortiGate in the GUI
There are five steps to configure the FortiGate:
- Create the IPsec tunnels.
- Create the IPsec aggregate.
- Configure the firewall policies.
- Configure the aggregate VPN interface IPs.
- Configure OSPF.
To create the IPsec tunnels:
-
Go to VPN > IPsec Wizard and select the Custom template.
-
For Name, enter pri_HQ2 and click Next.
-
Enter the following:
Phase 1
IP Address
172.16.202.1
Interface
port1
Device creation
Disabled
Aggregate member
Enabled
Authentication Method
Pre-shared Key
Pre-shared Key
Enter the secure key
IKE Mode
Aggressive
Peer Options Accept Types
Any peer ID
Phase 2
Auto-negotiate
Enable
-
Configure the other settings as needed.
-
Click OK.
-
Create another tunnel named sec_HQ2 with the following settings:
Phase 1
IP Address
172.17.202.1
Interface
port2
Device creation
Disabled
Aggregate member
Enabled
Authentication Method
Pre-shared Key
Pre-shared Key
Enter the secure key
IKE Mode
Aggressive
Peer Options Accept Types
Any peer ID
Phase 2
Auto-negotiate
Enable