Packet distribution for aggregate IPsec tunnels using weighted round robin
A weighted round robin algorithm can be used for IPsec aggregate tunnels to distribute traffic by the weight of each member tunnel.
In this example, the FortiGate has two IPsec tunnels put into IPsec aggregate. Traffic is distributed among the members, with one third over tunnel1, and two thirds over tunnel2. To achieve this, the weighted round robin algorithm is selected, tunnel1 is assigned a weight of 10, and tunnel2 is assigned a weight of 20.
To create the IPsec aggregate in the GUI:
- Go to VPN > IPsec Tunnels and click Create New > IPsec Tunnel.
- Complete the wizard to create the tunnel1 and tunnel2 custom IPsec tunnels. Ensure that Aggregate member is Enabled for each tunnel under the Network > Advanced section.
- Go to VPN > IPsec Tunnels and click Create New > IPsec Aggregate.
- Enter a name for the aggregate, such as agg1, and ensure that Algorithm is Weighted Round Robin.
- Add tunnel1 as an aggregate members, and set Weight to 10.
- Add tunnel2 as a second aggregate members, and set its Weight to 20.
- Click OK.
- To view and monitor the aggregate tunnel statistics, go to the IPsec widget on the Network dashboard.
To create the IPsec aggregate in the CLI:
- Create the tunnel1 and tunnel2 custom IPsec tunnels with aggregate-member enabled and aggregate-weight set for both tunnels:
config vpn ipsec phase1-interface edit "tunnel1" ... set aggregate-member enable set aggregate-weight 10 ... next edit "tunnel2" ... set aggregate-member enable set aggregate-weight 20 ... next end
- Create the IPsec aggregate:
config system ipsec-aggregate edit "agg1" set member "tunnel1" "tunnel2" set algorithm weighted-round-robin next end