Created on 08-12-2019 08:39 AM Edited on 12-16-2021 02:32 AM By Anonymous
Description
This article describes how to aggregate tunnel members interfaces. Starting from 6.2.1, aggregate-member has to be enabled in the phase 1 IPsec Tunnel.
Solution
In the example below, two Phase1 interfaces have been created as pri_HQ1 and sec_HQ1. For both tunnels, the aggregate-member in the Phase 1 has been enabled.
# config vpn ipsec phase1-interface
edit "pri_HQ1"
set interface "port1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 172.16.202.1
set psksecret sample1
set aggregate-member enable
next
edit "sec_HQ1"
set interface "port2"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 172.17.202.1
set psksecret sample2
set aggregate-member enable
next
end
# config vpn ipsec phase2-interface
edit "pri_HQ1"
set phase1name "pri_HQ1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
edit "sec_HQ1"
set phase1name "sec_HQ1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
Now, the members in the aggregate should be added as below:
# config system ipsec-aggregate
edit AGGREGATE
set member pri_HQ1 sec_HQ1
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.