FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hvardhang
Staff
Staff
Article Id 198328

Description
This article describes how to aggregate tunnel members interfaces. Starting from 6.2.1, aggregate-member has to be enabled in the phase 1 IPsec Tunnel.

Solution
In the example below, two Phase1 interfaces have been created as pri_HQ1 and sec_HQ1. For both tunnels, the aggregate-member in the Phase 1 has been enabled.

# config vpn ipsec phase1-interface
    edit "pri_HQ1"
         set interface "port1"
         set peertype any
         set net-device disable
         set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
         set remote-gw 172.16.202.1
         set psksecret sample1
         set aggregate-member enable
    next
    edit "sec_HQ1"
        set interface "port2"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 172.17.202.1
        set psksecret sample2
        set aggregate-member enable
    next
end

# config vpn ipsec phase2-interface

    edit "pri_HQ1"
        set phase1name "pri_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
    edit "sec_HQ1"
        set phase1name "sec_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
end

Now, the members in the aggregate should be added as below:

# config system ipsec-aggregate
    edit AGGREGATE
        set member pri_HQ1 sec_HQ1
end

 

Contributors