Technical Tip: How to load-balance the traffic over Dual IPSEC tunnels using IPSEC Aggregate between FortiGate and AWS VPC with Static Routing

• Create the IPSEC tunnel on the AWS side using the below document. Make sure that the Routing options in this scenario are Static, not Dynamic and the Static prefix is the Local Subnet on the FortiGate Side. In this example, it is 192.168.1.0/24: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-redundant-IPSEC-tunnel-to...

• Make sure that the Route table has route via the IPSEC Tunnel as shown below towards the FortiGate:

• IPSEC tunnel status is showing up on both ends as shown below:

• Traffic getting load balanced as shown in the below debugs:

HomeGate # diagnose debug flow  filter addr 10.0.2.184

HomeGate # diagnose debug console timestamp enable

HomeGate # diagnose debug flow trace start 100

HomeGate # diagnose debug flow filter proto  1

HomeGate # diagnose debug enable

HomeGate # 2023-08-17 09:27:29 id=65308 trace_id=1 func=print_pkt_detail line=5799 msg="vd-root:0 received a packet(proto=1, 192.168.1.1

:11->10.0.2.184:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=11, seq=0."

2023-08-17 09:27:29 id=65308 trace_id=1 func=init_ip_session_common line=5984 msg="allocate a new session-0028a592, tun_id=0.0.0.0"

2023-08-17 09:27:29 id=65308 trace_id=1 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface IPSEC_AWS, tun_id=0.0.0.0"

2023-08-17 09:27:29 id=65308 trace_id=1 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel AWS2, tun_id=54.71.220.19

9, vrf 0"

2023-08-17 09:27:29 id=65308 trace_id=1 func=esp_output4 line=896 msg="IPsec encrypt/auth"

2023-08-17 09:27:29 id=65308 trace_id=1 func=ipsec_output_finish line=629 msg="send to 75.155.187.1 via intf-wan1"

2023-08-17 09:27:29 id=65308 trace_id=2 func=print_pkt_detail line=5799 msg="vd-root:0 received a packet(proto=1, 10.0.2.184:11->192.168

.1.1:0) tun_id=54.71.220.199 from IPSEC_AWS. type=0, code=0, id=11, seq=0."

2023-08-17 09:27:29 id=65308 trace_id=2 func=resolve_ip_tuple_fast line=5887 msg="Find an existing session, id-0028a592, reply direction

"

2023-08-17 09:27:29 id=65308 trace_id=2 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-192.168.1.1 via root

"

2023-08-17 09:27:30 id=65308 trace_id=3 func=print_pkt_detail line=5799 msg="vd-root:0 received a packet(proto=1, 192.168.1.1:11->10.0.2

.184:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=11, seq=1."

2023-08-17 09:27:30 id=65308 trace_id=3 func=resolve_ip_tuple_fast line=5887 msg="Find an existing session, id-0028a592, original direct

ion"

2023-08-17 09:27:30 id=65308 trace_id=3 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface IPSEC_AWS, tun_id=0.0.0.0"

2023-08-17 09:27:30 id=65308 trace_id=3 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel AWS1, tun_id=34.209.168.1

30, vrf 0"

2023-08-17 09:27:30 id=65308 trace_id=3 func=esp_output4 line=896 msg="IPsec encrypt/auth"

2023-08-17 09:27:30 id=65308 trace_id=3 func=ipsec_output_finish line=629 msg="send to 75.155.187.1 via intf-wan1"

2023-08-17 09:27:30 id=65308 trace_id=4 func=print_pkt_detail line=5799 msg="vd-root:0 received a packet(proto=1, 10.0.2.184:11->192.168

.1.1:0) tun_id=54.71.220.199 from IPSEC_AWS. type=0, code=0, id=11, seq=1."

2023-08-17 09:27:30 id=65308 trace_id=4 func=resolve_ip_tuple_fast line=5887 msg="Find an existing session, id-0028a592, reply direction

•  Follow the below documents for troubleshooting the traffic in AWS: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-General-troubleshooting-approach-to/...