Skip to main content
martyyy
martyyy
Explorer III
October 9, 2024
Solved

Cannot add the aggregate vpn member

  • October 9, 2024
  • 1 reply
  • 2134 views

Hi There,

I tried to create a aggregate VPN between two fortigate node. FOS 7.0.14.
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/779544/ipsec-aggregate-for-redundancy-and-traffic-load-balancing

there are two VPN tunnel established already. and I added one tunnel to the aggregate vpn successfully. But I cannot add another member into the group.

according to the guidance, I have to set aggregate-member enable. But I cannot do it, check the error message below.

 # next
Please enable phase2 auto-negotiate if ipsec-aggregate uses redundant algorithm.
This interface is currently in use.
object set operator error, -23, roll back the setting
Command fail. Return code 1

I tried to enable the phase 2 autonegotiation and delete the vpn tunnel and create a new one. the result is same.

I tried to disable the virtual interface but the result is same. Since there is traffic on the physical interface already. I cannot disable it. I don't want to break the service.

Appreciate your advice on how I can achieve it? TIA :) 

Best answer by AlexC-FTNT

"Please enable phase2 auto-negotiate if ipsec-aggregate uses redundant algorithm."

-- this will be displayed even when "set auto-negotiate enable" is set
"This interface is currently in use." 

-- this is probably the source of the problem - you need to make sure the interface is removed from all policies before adding it to aggregate

1 reply

AlexC-FTNT
Staff
AlexC-FTNTAnswer
Staff
October 9, 2024

"Please enable phase2 auto-negotiate if ipsec-aggregate uses redundant algorithm."

-- this will be displayed even when "set auto-negotiate enable" is set
"This interface is currently in use." 

-- this is probably the source of the problem - you need to make sure the interface is removed from all policies before adding it to aggregate

    martyyy
    martyyyAuthor
    Explorer III
    October 10, 2024

    Hi @AlexC-FTNT ,

     

    Thanks for your reply,  I delete all the policy and create the new tunnel again. it works. Now I can see the aggregate VPN is working.

    But it seems the routing table choose one member only rather than the aggregate VPN IP X.X.X.X

    # get router info routing-table de x.x.x.x

    Routing table for VRF=0
    Routing entry for x.x.x.x/16
    Known via "static", distance 10, metric 0, best
    * via TAL_IND_Aggress tunnel x.x.x.x vrf 0, tun_id

    I check the OSPF status and it is not up.
    get rou info ospf neighbor
    OSPF process 0, VRF 0:
    Neighbor ID Pri State Dead Time Address Interface


    does the OSPF work here?

    In addition, I add the policy to allow SSLVPN user to access the aggregate VPN tunnel, but the policy lookup always failed due to the route lookup failure. Is it related to this?

     

    Thank you :) 

    AlexC-FTNT
    Staff
    AlexC-FTNT
    Staff
    October 11, 2024

    I'm not so sure I can give an exact answer, but for your case, the SDWAN solution seems to apply better. Maybe post a separate topic for this to troubleshoot, if you want to use aggregate ipsec instead of sdwan

      Terms & ConditionsAccessibility statement