Technical Tip: Represent Multiple IPsec Tunnels as a Single Interface
Description
This article shows a new option on FortiOS 6.2 to represent multiple IPsec tunnels as a single interface.
Scope
FortiGate.
Solution
With this feature, create a static aggregate interface using IPsec tunnels as members, with traffic load balanced between the members.
An IP address can be assigned to the aggregate interface, dynamic routing can run on the interface, and the interface can be a member interface in SD-WAN.
The supported load balancing algorithms are: L3, L4, round-robin (default), and redundant.
- Create a site-to-site VPN phase1 interface with net-device disabled:
edit tunnel1
set interface port1
set net-device disable
set remote-ge 172.16.100.1
set psksecret sample
set aggregate-member enable
next
edit tunnel2
set interface port2
set net-device disable
set remote-ge 172.31.1.1
set psksecret sample
set aggregate-member enable
next
end
- Configure IPsec aggregation:
edit agg1
set member tunnel1 tunnel2
next
end
- Configure a firewall policy:
end
- Configure a static route:
edit 0
set device agg1
next
end
diagnose sys ipsec-aggregate list
agg1 algo=RR member=2 run_tally=2
members:
tunnel1
tunnel2
Note: 'aggregate-member' must be enabled under 'config vpn ipsec phase1-interface' in order to add the tunnel as an Aggregate Member. To enable 'aggregate-member' for existing tunnels, remove all references such as firewall policy and static route. It is not possible to enable 'aggregate-member' on a dial-up tunnel.
Related articles: