Skip to main content
dkirchhoff-BE
dkirchhoff-BE
New Member
March 25, 2025
Question

Redundant or Round-Robin VPN configuration

  • March 25, 2025
  • 1 reply
  • 991 views

I'm trying to modify/enhance our user VPN experience.

While trying to add the FortiClient VPN to a Linux laptop, we could not see any of our configured IPsec tunnels.

Later found out that the Linux client is not compatible with any tunnels configured with IKE 1.

So, we will have to change to IKE 2.  (lesson learned... don't use the 'Wizard')

While asking these questions, I also asked how we could potentially create a Single tunnel that could access both of the IPsec VPN's on our 2 separate ISP circuits.

I was shown that I can add multiple VPN's to the VPN 'profile' in EMS

Now my questions are ...  is that all/enough?  Or do I also need to create a VPN 'Aggregate' on the FortiGate too ??

How does the FortiClient profile determine how an end user connection chooses the appropriate tunnel?

Round Robin by default ??

 

At least the 'Aggregate' configuration in the FortiGate allows me to choose between several methods.

Then at the FortiGate, how do I modify each tunnel to enable 'aggregate-member' ?  (lesson learned, don't use the wizard ?) so I can add VPN tunnels to an Aggregate.

 

Any help would be appreciated.

1 reply

AEK
SuperUser
AEK
SuperUser
March 25, 2025

FortiClient can't connect to more than one VPN at a time. As far as I know you can configure auto-connect o one tunnel only.

AEK
    dkirchhoff-BE
    dkirchhoff-BEAuthor
    New Member
    March 26, 2025

    Yes, I understand that.  What I'm trying to do is make 2 VPN tunnels available to users without them having to manually select one.  As you know, most users are ~lazy and just select the first choice (VPN1) and therefore, most of the connected FortiClient traffic is on that first VPN.  Then I get complaints that the performance is poor....  well, why don't you choose the other one... 'what other one' is the response....

    I'm trying to make this ~easy so that both VPN tunnels get some traffic and try to balance.

     

    So, is that better achieved by creating a IPsec Aggregate at the FortiGate, or simply putting both VPN's in the 'remote gateway' field of the 'Basic Settings' of the VPN tunnel profile on the EMS server ?

     

    OR... leveraging the SDWAN configuration of the 2 Internet circuits at the FortiGate ??

    AEK
    SuperUser
    AEK
    SuperUser
    March 26, 2025

    In that case I think you can define one public DNS A record with two IP addresses, and the DNS will do the load balancing job for you. I mean this DNS record should lead to approximately 50% on the first VPN and 50% on the second.

    AEK
      Terms & ConditionsCookie settingsAccessibility statement