Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff

Created on ‎03-21-2025 04:06 AM

Article Id 383586

Technical Tip: IPSec aggregate with link-monitor

Description This article describes how to configure a link-monitor on IPSec Aggregate and disable the routes associated with this aggregate.
Scope FortiGate v6.4, v7.0, v7.2, v7.4 and v7.6
Solution

In v7.0.1 the routing behavior is changed, all routes associated with IPSec aggregate will stay UP even if the aggregate is down. As a workaround could be used a link-monitor .

 

Example topology:

 ipsec_aggregate_topology.JPG

 

There is an IPSec aggregate between FortiGate-1 and FortiGate-2 with 2 IPSec members. With the current change of behavior, all routes on FortiGate-1 and FortiGate-2 associated with IPSec aggregate will stay up even if the IPSec aggregate us down. In order to make all routes associated with the IPSec aggregate inactive when it's down, a Link-monitor could be used.

 

Config of Phase-1 VPN_1 and VPN_2 of FortiGate-1:

 

config vpn ipsec phase1-interface
    edit "VPN_1"
       set interface "port1"
       set ike-version 2
       set peertype any
       set net-device disable
       set aggregate-member enable
       set proposal aes128-sha256 aes256-sha256
       set transport auto
       set remote-gw 10.5.147.48
       set psksecret ENC xxxxx
  next
  edit "VPN_2"
     set interface "port3"
     set ike-version 2
     set peertype any
     set net-device disable
     set aggregate-member enable
     set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 
     set transport auto
     set remote-gw 192.168.200.2
     set psksecret ENC xxxxx
next

end

 

FortiGate-1 IPSec aggregate :

 

config system ipsec-aggregate
    edit "aggregate"
       set member "VPN_1" "VPN_2"
       set algorithm round-robin
    next
end

 

On both FortiGates, it is assigned an IPv4 address of the IPSec aggregate :

 

FortiGate-1 aggregate interface config :

 

config system interface
  edit "aggregate"
   set vdom "root"
   set ip 192.168.77.1 255.255.255.255
   set allowaccess ping https ssh snmp http ftm
   set type tunnel
   set remote-ip 192.168.77.2 255.255.255.255
   set snmp-index 15
next

 

FortiGate-2 aggregate interface config:

 

config system interface
  edit "aggregate"
   set vdom "root"
   set ip 192.168.77.2 255.255.255.255
   set allowaccess ping https ssh snmp http ftm
   set type tunnel
   set remote-ip 192.168.77.1 255.255.255.255
   set snmp-index 15
next

 

 

Link-monitor configuration on FortiGate-1:

 

config system link-monitor
     edit "aggregate_monitor"
        set srcintf "aggregate" <----- Source interface, in this case, is the aggregate.
        set server "192.168.77.2" <----- IP address of the remote FortiGate-2.
     next
end

 

It is visible from the output above, that for ICMP target uses an IP address 192.168.77.2 which belongs to the IPSec aggregate tunnel of FortiGate-2. If IPSec tunnels are down (VPN_1 and VPN_2), then the link-monitoring will report the aggregate as down. As a result, all routes associated with the IPSec aggregate will be inactive.

 

The routing table on FortiGate-1 when the aggregate IPSec is up:

 

get router info routing-table all | grep aggregate
      S 1.1.1.1/32 [10/0] via aggregate tunnel 10.5.147.48, [1/0]
      S 10.99.99.1/32 [10/0] via aggregate tunnel 10.5.147.48, [1/0]
      C 192.168.77.1/32 is directly connected, aggregate
      S 192.168.77.2/32 [5/0] via aggregate tunnel 10.5.147.48, [1/0]

 

Diagnose output for link-monitor, when the aggregate is UP :

 

diagnose sys link-monitor status

Link Monitor: aggregate_monitor, Status: alive, Server num(1), cfg_version=0 HA state: local(alive), shared(alive)
Flags=0x1 init, Create time: Fri Mar 21 00:45:44 2025
Source interface: aggregate (21)
VRF: 0
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Transport-Group: 0
Class-ID: 0
Peer: 192.168.77.2(192.168.77.2)
Source IP(192.168.77.1)
Route: 192.168.77.1->192.168.77.2/32, gwy(10.5.147.48)
protocol: ping, state: alive
Latency(Min/Max/Avg): 0.427/1.382/0.691 ms
Jitter(Min/Max/Avg): 0.007/0.955/0.174 ms
Packet lost: 0.000%
MOS: 4.404
Number of out-of-sequence packets: 0
Fail Times(0/5)
Packet sent: 14089, received: 12272, Sequence(sent/rcvd/exp): 14090/14090/14091

 

 

Diagnose output for link-monitor, when the aggregate is down:

 

       diagnose sys link-monitor status

Link Monitor: aggregate_monitor, Status: dead, Server num(1), cfg_version=0 HA state: local(dead), shared(dead)
Flags=0x9 init log_downgateway, Create time: Fri Mar 21 00:45:44 2025
Source interface: aggregate (21)
VRF: 0
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Transport-Group: 0
Class-ID: 0
Peer: 192.168.77.2(192.168.77.2)
Source IP(192.168.77.1)
Route: 192.168.77.1->192.168.77.2/32, gwy(10.5.147.48)
protocol: ping, state: dead
Packet lost: 57.000%
MOS: 4.375
Number of out-of-sequence packets: 0
Recovery times(0/5) Fail Times(2/5)
Packet sent: 14780, received: 12905, Sequence(sent/rcvd/exp): 14781/14723/14724

 

The routing table on FortiGate-1 when the aggregate IPSec is down:

 

get router info routing-table all | grep aggregate
C 192.168.77.1/32 is directly connected, aggregate
S 192.168.77.2/32 [5/0] via aggregate tunnel 10.5.147.48, [1/0]

 

 

The 'connected' routes associated with the interface 'aggregate' are still active, but the routes for 1.1.1.1/32 and 10.99.99.1/32 are inactive because of the link-monitor.
 

 
579
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.