Configuring an aggregate IPsec tunnel involves combining multiple IPsec tunnels into a single logical interface, which distributes traffic across the member tunnels for improved performance and redundancy. This describes the necessary steps to set up an aggregate IPsec tunnel for both WAN interfaces on this site to the same remote site. 

In the diagram below, there are two WAN interfaces on this FortiGate and multiple IPsec tunnels to a single site from both WAN interfaces to a single remote gateway. 

To configure an aggregate IPsec tunnel interface:

1. Navigate to VPN -> IPsec Aggregate in the FortiGate interface.  
2. Create a new IPsec Aggregate by selecting 'Create New' as shown in the image below.
3. Configure the Aggregate VPN.
   
   

It is possible to assign a descriptive name, and there will be four options for the algorithm. 

1. Weighted Round Robin: Allocates traffic based on predefined weights, allowing more traffic to preferred tunnels. 
2. L3: Provides redundancy based on IP routing. 
3. L4: Provides redundancy based on port numbers and connection states. 
4. Redundant: This is used to provide a backup in case the primary tunnel fails, ensuring continuous connectivity between sites.
    

Both tunnels are pointing toward the same remote gateway. If it is desired to add both tunnels to the aggregate interface, it will be necessary to remove all the references to the IPsec tunnels and to enable the ‘set aggregate-member’ in the IPsec phase1 setting in the CLI; by default, it is disabled. Once enabled, it will be available to add. 

Once both IPsec tunnels are available, it is possible to add them to the Aggregate interface as shown below. 

Once both IPsec tunnels are added to the aggregate interface, they will be referenced under the aggregate interface as shown below. 

It will be necessary then to configure a firewall policy for this new aggregate interface from the internal interface to the aggregate tunnel interface, as shown below.

By following these steps, it is possible to successfully configure an aggregate IPsec tunnel using the FortiGate GUI, enhancing the redundancy and performance of the VPN connections. 

Note:

1. If the following errors appear while enabling 'aggregate-member' on an existing Dialup tunnel, the workaround is to delete the tunnel and recreate it through CLI with the 'aggregate-member' option enabled at the same time. 

2. If the following error is observed, and the tunnel was created using the wizard.

    

This issue can be resolved by deleting the relevant static route and firewall policy, as when using an aggregate interface, the static route and firewall policy will be created on the aggregate interface, not on the standalone IPsec interface. 

Note:

Starting from FortiOS 7.0 (the FortiOS version 
where the IPsec kernel was re-designed), a static route over an aggregate tunnel will fail to remove its static route from the routing table even when all the members of the aggregate tunnel are down (this applies to the case of a single or floating static route over the aggregate tunnel). The DEV team has acknowledged this issue; however, it will not be fixed. So, other means (workaround) have to be deployed when facing this issue.

Working scenario (v6.2/64): when aggregate 'tun_to_slc_ag2' is DOWN.

NON-working scenario (v7.0 and above): the failed aggregate tunnel 'tun_to_slc_ag2' remains installed in the routing table.

Workaround: The aggregate tunnel can be added to the SD-WAN zone, and then a performance SLA should be configured over the aggregate tunnel to a remote server. Once the remote server is no longer reachable over the SD-WAN, the rule that forwards traffic over the aggregate tunnel will fail, and FortiGate to stop using the affected (down) aggregate tunnel.

Related article:

Technical Tip: How to aggregate tunnel interfaces