Description

This article describes how to aggregate tunnel members' interfaces. Starting from 6.2.1, aggregate-member has to be enabled in the phase 1 IPsec Tunnel.

Scope

FortiGate.

Solution

In the example below, two Phase1 interfaces have been created as pri_HQ1 and sec_HQ1. For both tunnels, the aggregate-member in the Phase 1 has been enabled.

config vpn ipsec phase1-interface
    edit "pri_HQ1"
         set interface "port1"
         set peertype any
         set net-device disable
         set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
         set remote-gw 172.16.202.1
         set psksecret sample1
         set aggregate-member enable
    next
    edit "sec_HQ1"
        set interface "port2"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 172.17.202.1
        set psksecret sample2
        set aggregate-member enable
    next
end

config vpn ipsec phase2-interface
    edit "pri_HQ1"
        set phase1name "pri_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
    edit "sec_HQ1"
        set phase1name "sec_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
end

The members in the aggregate should be added as below: 

config system ipsec-aggregate
    edit AGGREGATE
        set member pri_HQ1 sec_HQ1
end

Note:

To add an IPsec tunnel as an aggregate-member, all references (firewall policy, static route, etc) must be removed. Otherwise, the following errors will appear. It is not possible to add a dialup tunnel as an aggregate member. 

This interface is currently in use.
object set operator error, -23, roll back the setting
Command fail. Return code -23

Related article: 

Technical Tip: How to create aggregate IPsec tunnel with GUI