Is a FortiGate IPsec-Aggregate to AWS VPN Possible?

Forum|Forum|11 months ago
July 1, 2025
2 replies
851 views

I have set a couple of FortiGate VPN connections to AWS in the past and it was with two individual IPsec VPN tunnels with two static routes that had different administrative distances. Each IPsec tunnel required me to enter a /30 CIDR IP Address rather than 0.0.0.0, which affected the static routes Gateway IP through the VPN tunnel. I wanted to see if it Is possible to create an Redundant Aggregate VPN tunnel to both AWS VPN Tunnels rather than two individual sets of IPsec VPNs (2x IPsec tunnels, Firewall Policies, Static Routes, etc.).

Creating the two tunnels and joining them into the Aggregate tunnel is simple enough, but I need clarification when it comes to the static route(s) and the AWS 2 IPv4 CIDR Addresses. Original configuration required manually adding /30 IPv4 CIDR for each tunnel which updates the Gateway IP for each static route. It seems that an IPsec-Aggregate only allows one entry from 0.0.0.0/0.

Demir25

New Member

Hello Dester,

IPSec Aggregate will create a logical interface while having two IPSec Tunnels as members. As far as I am concerned cloud redundant IPSec configurations requires the usage of BGP for redundancy as shown also in the following link: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-redundant-IPSEC-tunnel-to-AWS-VPC/ta-p/253018

I believe this would be your best option instead of IPSec Aggregate.

Regards!

DesterDAuthor

Visitor III

Thanks for the URL/Tip!

Yurisk

SuperUser

Worth experimenting, but from AWS standpoint those 2 IPSec tunnels are for redundancy/backup purposes, not intended to be used as the load-balancing topology, so even if you do aggregate on FGT side, it may not work from the AWS side as you intend. Just saying.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded