FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tahmadov
Staff
Staff
Article Id 197986

Description

 
This article explains the use of Ipsec aggregate for redundancy and traffic load-balancing.
This feature is allowing to load-balance traffic and set up redundancy on multiple site-to-site IPsec VPNs.
L3, L4, round-robin and redundant load balancing algorithms are supported.


L3                   : Use layer 3 address for distribution.

L4                   : Use layer 4 information for distribution.
round-robin          : Per-packet round-robin distribution.
Redundant            : Use first tunnel that is up for all traffic.

 

 

Limitation: Since FortiOS 7.0.1, all routes associated with IPSec aggregate are not marked 'inactive' if the IPSec  aggregate is down. IPSec aggregate interface is always UP.


Solution
Configuration of FortiGates using CLI:

 
Here is the Step by Step guide:
 
HQ1 – System Interface and Static Route Configuration:
 
config system interface
    edit "wan1"
        set ip 10.1.10.1 255.255.255.0
    next
    edit "wan2"
        set ip 10.1.20.1 255.255.255.0
    next
end

config router static
    edit 1
        set gateway 10.1.10.2
        set device "wan1"
    next
    edit 2
        set gateway 10.1.20.2
        set device "wan2"
        set priority 20
    next
end
 
HQ2 – System Interface and Static Route Configuration:
 
config system interface
    edit "port1"
        set ip 10.2.10.1 255.255.255.0
    next
    edit "port2"
        set ip 10.2.20.1 255.255.255.0
    next
end

config router static
    edit 1
        set gateway 10.2.10.2
        set device "port1"
    next
    edit 2
        set gateway 10.2.20.2
        set device "port2"
        set priority 20
    next
end
 
HQ1 – IPSec VPN Configuration:
 
config vpn ipsec phase1-interface
    edit "Pri_VPN_to_HQ2"
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.2.10.1
        set psksecret sharedKey1!
        set aggregate-member enable
    next
    edit "Sec_VPN_to_HQ2"
        set interface "wan2"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.2.20.1
        set psksecret sharedKey2!
        set aggregate-member enable
    next
end

config vpn ipsec phase2-interface
    edit "Pri_VPN_to_HQ2"
        set phase1name "Pri_VPN_to_HQ2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
    edit "Sec_VPN_to_HQ2"
        set phase1name "Sec_VPN_to_HQ2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
end

config system ipsec-aggregate

    edit "Agg_VPN_to_HQ2"
        set member "Pri_VPN_to_HQ2" "Sec_VPN_to_HQ2"
    next

 
Note: When enabling the 'aggregate-member' option on existing tunnels, it is necessary to remove all references such as firewall policies and static routes. Otherwise, the following error message will appear and it will not be possible to enable the 'aggregate-member' option. 
 
agg.PNG

 

HQ2 - IPSec VPN Configuration: 
 
config vpn ipsec phase1-interface
    edit "Pri_VPN_to_HQ1"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.1.10.1
        set psksecret sharedKey1!
        set aggregate-member enable
    next
    edit "Sec_VPN_to_HQ1"
        set interface "port2"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.1.20.1
        set psksecret sharedKey2!
        set aggregate-member enable
    next
end

config vpn ipsec phase2-interface
    edit "Pri_VPN_to_HQ1"
        set phase1name "Pri_VPN_to_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
    edit "Sec_VPN_to_HQ1"
        set phase1name "Sec_VPN_to_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
end

config system ipsec-aggregate

    edit "Agg_VPN_to_HQ1"
        set member "Pri_VPN_to_HQ1" "Sec_VPN_to_HQ1"
    next
end
 
Useful link: Check the field 'Related Articles.
 
Troubleshooting.
 
HQ1 - Troubleshooting:
 
HQ1 # diagnose vpn ike gateway list

vd: root/0
name: Sec_VPN_to_HQ2
version: 1
interface: wan2 8
addr: 10.1.20.1:500 -> 10.2.20.1:500
created: 433554s ago
IKE SA: created 1/7  established 1/7  time 0/11/20 ms
IPsec SA: created 1/11  established 2/12  time 10/10/20 ms

  id/spi: 13 a623876082a99160/c29769d7e0935841
  direction: responder
  status: established 22269-22269s ago = 20ms
  proposal: aes128-sha256
  key: 5ad22a32518eef32-967c50b0b815952c
  lifetime/rekey: 86400/63860
  DPD sent/recv: 00000002/00000004

vd: root/0
name: Pri_VPN_to_HQ2
version: 1
interface: wan1 7
addr: 10.1.10.1:500 -> 10.2.10.1:500
created: 433554s ago
IKE SA: created 1/7  established 1/7  time 0/7/20 ms
IPsec SA: created 1/11  established 2/12  time 0/3/20 ms

  id/spi: 12 9cd94443291f1799/45c270159d9292f4
  direction: responder
  status: established 22269-22269s ago = 10ms
  proposal: aes128-sha256
  key: ad5bdc4137ab2d22-4441a07aec337523
  lifetime/rekey: 86400/63860
  DPD sent/recv: 00000001/00000005
 
HQ1 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Sec_VPN_to_HQ2 ver=1 serial=4 10.1.20.1:0->10.2.20.1:0 dst_mtu=1500
bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=1 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0 ad=/0
stat: rxp=277 txp=239 rxb=235832 txb=124543
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Sec_VPN_to_HQ2 proto=0 sa=1 ref=2 serial=3 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=18203 type=00 soft=0 mtu=1438 expire=20336/0B replaywin=2048
       seqno=e5 esn=0 replaywin_lastseq=0000010b itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42927/43200
  dec: spi=d48305fd esp=aes key=16 da1defaa78ced22d8de340fa5cbd4943
       ah=sha1 key=20 3d4eea53424ce79ebf6d1df45aa3f27a2e723f68
  enc: spi=2bcfa774 esp=aes key=16 992ba031bb67176f1a2cf57bdfc6daf2
       ah=sha1 key=20 3afd65583f711724d017c88f1af141fcbd391ceb
  dec:pkts/bytes=266/217170, enc:pkts/bytes=228/138672
run_tally=0
------------------------------------------------------
name=Pri_VPN_to_HQ2 ver=1 serial=3 10.1.10.1:0->10.2.10.1:0 dst_mtu=1500
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=1 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0 ad=/0
stat: rxp=277 txp=238 rxb=53064 txb=150916
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Pri_VPN_to_HQ2 proto=0 sa=1 ref=2 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=18203 type=00 soft=0 mtu=1438 expire=20343/0B replaywin=2048
       seqno=e5 esn=0 replaywin_lastseq=0000010c itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42932/43200
  dec: spi=d48305fe esp=aes key=16 e0630669d2d7703dba7282c35b49ebff
       ah=sha1 key=20 ec7df8a7ed6f8a99db55dcd3f53de54733ffe39b
  enc: spi=2bcfa775 esp=aes key=16 1557831ab0b608e212795d5866c79037
       ah=sha1 key=20 b97f12a3c555c8d03935340985002e75bd2d5f9a
  dec:pkts/bytes=267/34624, enc:pkts/bytes=228/165184
run_tally=0
 
HQ1 # diagnose sys ipsec-aggregate list
Agg_VPN_to_HQ2 algo=RR member=2 run_tally=2
members:
    Pri_VPN_to_HQ2
    Sec_VPN_to_HQ2


HQ1 # get router info routing-table  all


Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 10.1.10.2, wan1
                  [10/0] via 10.1.20.2, wan2, [20/0]
C       10.1.10.0/24 is directly connected, wan1
C       10.1.20.0/24 is directly connected, wan2
C       10.5.48.0/20 is directly connected, internal
C       192.168.1.0/24 is directly connected, dmz
S       192.168.2.0/24 [10/0] is directly connected, Agg_VPN_to_HQ2
 
HQ2 - Troubleshooting:
 
HQ2 # diagnose vpn ike gateway list

vd: root/0
name: Pri_VPN_to_HQ1
version: 1
interface: port1 28
addr: 10.2.10.1:500 -> 10.1.10.1:500
created: 108395s ago
IKE SA: created 1/2  established 1/2  time 10/4510/9010 ms
IPsec SA: created 1/3  established 1/3  time 0/1666/5000 ms

  id/spi: 2 9cd94443291f1799/45c270159d9292f4
  direction: initiator
  status: established 22286-22286s ago = 10ms
  proposal: aes128-sha256
  key: ad5bdc4137ab2d22-4441a07aec337523
  lifetime/rekey: 86400/63813
  DPD sent/recv: 00000005/00000001

vd: root/0
name: Sec_VPN_to_HQ1
version: 1
interface: port2 29
addr: 10.2.20.1:500 -> 10.1.20.1:500
created: 108395s ago
IKE SA: created 1/2  established 1/2  time 20/4520/9020 ms
IPsec SA: created 1/3  established 1/3  time 10/1676/5010 ms

  id/spi: 3 a623876082a99160/c29769d7e0935841
  direction: initiator
  status: established 22286-22286s ago = 20ms
  proposal: aes128-sha256
  key: 5ad22a32518eef32-967c50b0b815952c
  lifetime/rekey: 86400/63813
  DPD sent/recv: 00000004/00000002

HQ2 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Sec_VPN_to_HQ1 ver=1 serial=2 10.2.20.1:0->10.1.20.1:0 dst_mtu=1500
bound_if=29 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=1 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0 ad=/0
stat: rxp=242 txp=280 rxb=140688 txb=222114
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=4
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Sec_VPN_to_HQ1 proto=0 sa=1 ref=3 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=18227 type=00 soft=0 mtu=1438 expire=20301/0B replaywin=2048
       seqno=10e esn=0 replaywin_lastseq=000000e8 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42897/43200
  dec: spi=2bcfa774 esp=aes key=16 992ba031bb67176f1a2cf57bdfc6daf2
       ah=sha1 key=20 3afd65583f711724d017c88f1af141fcbd391ceb
  enc: spi=d48305fd esp=aes key=16 da1defaa78ced22d8de340fa5cbd4943
       ah=sha1 key=20 3d4eea53424ce79ebf6d1df45aa3f27a2e723f68
  dec:pkts/bytes=231/124387, enc:pkts/bytes=269/239000
  npu_flag=00 npu_rgwy=10.1.20.1 npu_lgwy=10.2.20.1 npu_selid=1 dec_npuid=0 enc_npuid=0
run_tally=0
------------------------------------------------------
name=Pri_VPN_to_HQ1 ver=1 serial=1 10.2.10.1:0->10.1.10.1:0 dst_mtu=1500
bound_if=28 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=1 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0 ad=/0
stat: rxp=241 txp=280 rxb=170872 txb=35344
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Pri_VPN_to_HQ1 proto=0 sa=1 ref=3 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=18227 type=00 soft=0 mtu=1438 expire=20305/0B replaywin=2048
       seqno=10f esn=0 replaywin_lastseq=000000e8 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42899/43200
  dec: spi=2bcfa775 esp=aes key=16 1557831ab0b608e212795d5866c79037
       ah=sha1 key=20 b97f12a3c555c8d03935340985002e75bd2d5f9a
  enc: spi=d48305fe esp=aes key=16 e0630669d2d7703dba7282c35b49ebff
       ah=sha1 key=20 ec7df8a7ed6f8a99db55dcd3f53de54733ffe39b
  dec:pkts/bytes=231/154600, enc:pkts/bytes=270/52176
  npu_flag=00 npu_rgwy=10.1.10.1 npu_lgwy=10.2.10.1 npu_selid=0 dec_npuid=0 enc_npuid=0
run_tally=0

HQ2 # diagnose sys ipsec-aggregate list
Agg_VPN_to_HQ1 algo=RR member=2 run_tally=2
members:
    Pri_VPN_to_HQ1
    Sec_VPN_to_HQ1


HQ2 # get router info routing-table  all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 10.2.10.2, port1
                  [10/0] via 10.2.20.2, port2, [20/0]
C       10.2.10.0/24 is directly connected, port1
C       10.2.20.0/24 is directly connected, port2
C       10.5.48.0/20 is directly connected, port17
C       10.99.10.0/24 is directly connected, port17
C       10.100.0.0/24 is directly connected, port2
S       192.168.1.0/24 [10/0] is directly connected, Agg_VPN_to_HQ1
C       192.168.2.0/24 is directly connected, port18

 

Related articles:

Technical Tip: 'set net-device' new route-based IPsec logic

Technical Tip: How to create aggregate IPsec tunnel with GUI

Technical Tip: How to aggregate tunnel interfaces