IPsec aggregate for redundancy and traffic load-balancing

This is a sample configuration of a multiple site-to-site IPsec VPN that uses an IPsec aggregate interface to set up redundancy and traffic load-balancing. The VPN tunnel interfaces must have net-device disabled in order to be members of the IPsec aggregate.

Each FortiGate has two WAN interfaces connected to different ISPs. OSPF runs over the IPsec aggregate in this configuration.

The supported load balancing algorithms are: L3, L4, round-robin (default), weighted round-robin, and redundant. The first four options allow traffic to be load-balanced, while the last option (redundant) uses the first tunnel that is up for all traffic.

Dynamic routing can run on the aggregate interface, and it can be a member interface in SD-WAN (not shown in this configuration).

Configuring the HQ1 FortiGate in the GUI

There are five steps to configure the FortiGate:

  1. Create the IPsec tunnels.
  2. Create the IPsec aggregate.
  3. Configure the firewall policies.
  4. Configure the aggregate VPN interface IPs.
  5. Configure OSPF.
To create the IPsec tunnels:
  1. Go to VPN > IPsec Wizard and select the Custom template.

  2. For Name, enter pri_HQ2 and click Next.

  3. Enter the following:

    Phase 1

    IP Address

    172.16.202.1

    Interface

    port1

    Device creation

    Disabled

    Aggregate member

    Enabled

    Authentication Method

    Pre-shared Key

    Pre-shared Key

    Enter the secure key

    IKE Mode

    Aggressive

    Peer Options Accept Types

    Any peer ID

    Phase 2

    Auto-negotiate

    Enable

  4. Configure the other settings as needed.

  5. Click OK.

  6. Create another tunnel named sec_HQ2 with the following settings:

    Phase 1

    IP Address

    172.17.202.1

    Interface

    port2

    Device creation

    Disabled

    Aggregate member

    Enabled

    Authentication Method

    Pre-shared Key

    Pre-shared Key

    Enter the secure key

    IKE Mode

    Aggressive

    Peer Options Accept Types

    Any peer ID

    Phase 2

    Auto-negotiate

    Enable

To create the IPsec aggregate:
  1. Go to VPN > IPsec Tunnels and click Create New > IPsec Aggregate.
  2. For Name, enter agg_HQ2.
  3. Select a load balancing algorithm.
  4. From the Tunnel dropdown, select the tunnels that you created previously (pri_HQ2 and sec_HQ2). If required, enter weights for each tunnel.
  5. Click OK.
To configure the firewall policies:
  1. Go to Policy & Objects > Firewall Policy.

  2. Create an inbound traffic policy with the following settings:

    Name

    inbound

    Incoming Interface

    agg_HQ2

    Outgoing Interface

    dmz

    Source

    172.16.101.0

    Destination

    10.1.100.0

    Schedule

    always

    Action

    ACCEPT

    Service

    ALL

  3. Click OK.

  4. Create an outbound traffic policy with the following settings:

    Name

    outbound

    Incoming Interface

    dmz

    Outgoing Interface

    agg_HQ2

    Source

    10.1.100.0

    Destination

    172.16.101.0

    Schedule

    always

    Action

    ACCEPT

    Service

    ALL

To configure the aggregate VPN interface IPs:
  1. Go to Network > Interfaces and edit agg_HQ2.
  2. For IP, enter 10.10.10.1.
  3. For Remote IP/Netmask, enter 10.10.10.2 255.255.255.255.
  4. Click OK.
To configure OSPF:
  1. Go to Network > OSPF.
  2. For Router ID, enter 1.1.1.1.
  3. In the Areas table, click Create New.
    1. For Area ID, enter 0.0.0.0.
    2. Click OK.
  4. In the Networks table, click Create New.
    1. Set the Area to 0.0.0.0.
    2. For IP/Netmask, enter 10.1.100.0/24.
    3. Click OK.
    4. Click Create New.
    5. For IP/Netmask, enter 10.10.10.0/24.
    6. Click OK.
  5. Click Apply.

Configuring the HQ2 FortiGate in the GUI

There are five steps to configure the FortiGate:

  1. Create the IPsec tunnels.
  2. Create the IPsec aggregate.
  3. Configure the firewall policies.
  4. Configure the aggregate VPN interface IPs.
  5. Configure OSPF.
To create the IPsec tunnels:
  1. Go to VPN > IPsec Wizard and select the Custom template.

  2. For Name, enter pri_HQ1 and click Next.

  3. Enter the following:

    Phase 1

    IP Address

    172.16.200.1

    Interface

    port25

    Device creation

    Disabled

    Aggregate member

    Enabled

    Authentication Method

    Pre-shared Key

    Pre-shared Key

    Enter the secure key

    IKE Mode

    Aggressive

    Peer Options Accept Types

    Any peer ID

    Phase 2

    Auto-negotiate

    Enable

  4. Configure the other settings as needed.

  5. Click OK.

  6. Create another tunnel named sec_HQ1 with the following settings:

    Phase 1

    IP Address

    172.17.200.1

    Interface

    port26

    Device creation

    Disabled

    Aggregate member

    Enabled

    Authentication Method

    Pre-shared Key

    Pre-shared Key

    Enter the secure key

    IKE Mode

    Aggressive

    Peer Options Accept Types

    Any peer ID

    Phase 2

    Auto-negotiate

    Enable

To create the IPsec aggregate:
  1. Go to VPN > IPsec Tunnels and click Create New > IPsec Aggregate.
  2. For Name, enter agg_HQ1.
  3. Select a load balancing algorithm.
  4. From the Tunnel dropdown, select the tunnels that you created previously (pri_HQ1 and sec_HQ1). If required, enter weights for each tunnel.
  5. Click OK.
To configure the firewall policies:
  1. Go to Policy & Objects > Firewall Policy.

  2. Create an inbound traffic policy with the following settings:

    Name

    inbound

    Incoming Interface

    agg_HQ1

    Outgoing Interface

    port9

    Source

    10.1.100.0

    Destination

    172.16.101.0

    Schedule

    always

    Action

    ACCEPT

    Service

    ALL

  3. Click OK.

  4. Create an outbound traffic policy with the following settings:

    Name

    outbound

    Incoming Interface

    port9

    Outgoing Interface

    agg_HQ1

    Source

    172.16.101.0

    Destination

    10.1.100.0

    Schedule

    always

    Action

    ACCEPT

    Service