| Description | This article provides a step-by-step guide on configuring an aggregate IPsec tunnel interface using the GUI on FortiGate. |
| Scope | FortiGate. |
| Solution |
Configuring an aggregate IPsec tunnel involves combining multiple IPsec tunnels into a single logical interface, which distributes traffic across the member tunnels for improved performance and redundancy. This guide will walk you through the necessary steps to set up an aggregate IPsec tunnel for both WAN interfaces on this site to the same remote site.
In the diagram below, there are two WAN interfaces on this FortiGate and multiple IPsec tunnels to a single site from both WAN interfaces to a single remote gateway.
To configure an aggregate IPsec tunnel interface:
It is possible to assign a descriptive name and there will be four options for the algorithm.
Both tunnels are pointing toward the same remote gateway, if it is desired to add both the tunnels to aggregate interface, it will be necessary to remove all the references to the IPSEC tunnels and to enable ‘set aggregate-member’ in the IPsec phase1 setting in CLI, by default it is disabled. Once enabled, it will be available to add.
Once both IPsec tunnels are available, it is possible to add it to the Aggregate interface as shown below.
Once both IPsec tunnels are added to the aggregate interface, they will be referenced under the aggregate interface as shown below.
It will be necessary then to configure a firewall policy for this new aggregate interface from the internal interface to the aggregate tunnel interface as shown below.
By following these steps, it is possible to successfully configure an aggregate IPsec tunnel using the FortiGate GUI, enhancing the redundancy and performance of the VPN connections. |
