Description
This article explains the use of Ipsec aggregate for redundancy and traffic load-balancing.
This feature is allowing to load-balance traffic and set up redundancy on multiple site-to-site IPsec VPNs.
L3, L4, round-robin and redundant load balancing algorithms are supported.
L3 : Use layer 3 address for distribution.
L4 : Use layer 4 information for distribution.
round-robin : Per-packet round-robin distribution.
Redundant : Use first tunnel that is up for all traffic.
Limitation: Since FortiOS 7.0.1, all routes associated with IPSec aggregate are not marked 'inactive' if the IPSec aggregate is down. IPSec aggregate interface is always UP.
Solution
Configuration of FortiGates using CLI:
Here is the Step by Step guide:
HQ1 – System Interface and Static Route Configuration:
config system interface
edit "wan1"
set ip 10.1.10.1 255.255.255.0
next
edit "wan2"
set ip 10.1.20.1 255.255.255.0
next
end
config router static
edit 1
set gateway 10.1.10.2
set device "wan1"
next
edit 2
set gateway 10.1.20.2
set device "wan2"
set priority 20
next
end
HQ2 – System Interface and Static Route Configuration:
config system interface
edit "port1"
set ip 10.2.10.1 255.255.255.0
next
edit "port2"
set ip 10.2.20.1 255.255.255.0
next
end
config router static
edit 1
set gateway 10.2.10.2
set device "port1"
next
edit 2
set gateway 10.2.20.2
set device "port2"
set priority 20
next
end
HQ1 – IPSec VPN Configuration:
config vpn ipsec phase1-interface
edit "Pri_VPN_to_HQ2"
set interface "wan1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 10.2.10.1
set psksecret sharedKey1!
set aggregate-member enable
next
edit "Sec_VPN_to_HQ2"
set interface "wan2"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 10.2.20.1
set psksecret sharedKey2!
set aggregate-member enable
next
end
config vpn ipsec phase2-interface
edit "Pri_VPN_to_HQ2"
set phase1name "Pri_VPN_to_HQ2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
edit "Sec_VPN_to_HQ2"
set phase1name "Sec_VPN_to_HQ2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
config system ipsec-aggregate
edit "Agg_VPN_to_HQ2"
set member "Pri_VPN_to_HQ2" "Sec_VPN_to_HQ2"
next
Note: When enabling the 'aggregate-member' option on existing tunnels, it is necessary to remove all references such as firewall policies and static routes. Otherwise, the following error message will appear and it will not be possible to enable the 'aggregate-member' option.
HQ2 - IPSec VPN Configuration:
config vpn ipsec phase1-interface
edit "Pri_VPN_to_HQ1"
set interface "port1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 10.1.10.1
set psksecret sharedKey1!
set aggregate-member enable
next
edit "Sec_VPN_to_HQ1"
set interface "port2"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 10.1.20.1
set psksecret sharedKey2!
set aggregate-member enable
next
end
config vpn ipsec phase2-interface
edit "Pri_VPN_to_HQ1"
set phase1name "Pri_VPN_to_HQ1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
edit "Sec_VPN_to_HQ1"
set phase1name "Sec_VPN_to_HQ1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
config system ipsec-aggregate
edit "Agg_VPN_to_HQ1"
set member "Pri_VPN_to_HQ1" "Sec_VPN_to_HQ1"
next
end
Useful link: Check the field 'Related Articles.
Troubleshooting.
HQ1 - Troubleshooting:
HQ1 # diagnose vpn ike gateway list
vd: root/0
name: Sec_VPN_to_HQ2
version: 1
interface: wan2 8
addr: 10.1.20.1:500 -> 10.2.20.1:500
created: 433554s ago
IKE SA: created 1/7 established 1/7 time 0/11/20 ms
IPsec SA: created 1/11 established 2/12 time 10/10/20 ms
id/spi: 13 a623876082a99160/c29769d7e0935841
direction: responder
status: established 22269-22269s ago = 20ms
proposal: aes128-sha256
key: 5ad22a32518eef32-967c50b0b815952c
lifetime/rekey: 86400/63860
DPD sent/recv: 00000002/00000004
vd: root/0
name: Pri_VPN_to_HQ2
version: 1
interface: wan1 7
addr: 10.1.10.1:500 -> 10.2.10.1:500
created: 433554s ago
IKE SA: created 1/7 established 1/7 time 0/7/20 ms
IPsec SA: created 1/11 established 2/12 time 0/3/20 ms
id/spi: 12 9cd94443291f1799/45c270159d9292f4
direction: responder
status: established 22269-22269s ago = 10ms
proposal: aes128-sha256
key: ad5bdc4137ab2d22-4441a07aec337523
lifetime/rekey: 86400/63860
DPD sent/recv: 00000001/00000005
HQ1 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Sec_VPN_to_HQ2 ver=1 serial=4 10.1.20.1:0->10.2.20.1:0 dst_mtu=1500
bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc run_state=1 accept_traffic=1
proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0 ad=/0
stat: rxp=277 txp=239 rxb=235832 txb=124543
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Sec_VPN_to_HQ2 proto=0 sa=1 ref=2 serial=3 auto-negotiate
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=18203 type=00 soft=0 mtu=1438 expire=20336/0B replaywin=2048
seqno=e5 esn=0 replaywin_lastseq=0000010b itn=0 qat=0
life: type=01 bytes=0/0 timeout=42927/43200
dec: spi=d48305fd esp=aes key=16 da1defaa78ced22d8de340fa5cbd4943
ah=sha1 key=20 3d4eea53424ce79ebf6d1df45aa3f27a2e723f68
enc: spi=2bcfa774 esp=aes key=16 992ba031bb67176f1a2cf57bdfc6daf2
ah=sha1 key=20 3afd65583f711724d017c88f1af141fcbd391ceb
dec:pkts/bytes=266/217170, enc:pkts/bytes=228/138672
run_tally=0
------------------------------------------------------
name=Pri_VPN_to_HQ2 ver=1 serial=3 10.1.10.1:0->10.2.10.1:0 dst_mtu=1500
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc run_state=1 accept_traffic=1
proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0 ad=/0
stat: rxp=277 txp=238 rxb=53064 txb=150916
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Pri_VPN_to_HQ2 proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=18203 type=00 soft=0 mtu=1438 expire=20343/0B replaywin=2048
seqno=e5 esn=0 replaywin_lastseq=0000010c itn=0 qat=0
life: type=01 bytes=0/0 timeout=42932/43200
dec: spi=d48305fe esp=aes key=16 e0630669d2d7703dba7282c35b49ebff
ah=sha1 key=20 ec7df8a7ed6f8a99db55dcd3f53de54733ffe39b
enc: spi=2bcfa775 esp=aes key=16 1557831ab0b608e212795d5866c79037
ah=sha1 key=20 b97f12a3c555c8d03935340985002e75bd2d5f9a
dec:pkts/bytes=267/34624, enc:pkts/bytes=228/165184
run_tally=0
HQ1 # diagnose sys ipsec-aggregate list
Agg_VPN_to_HQ2 algo=RR member=2 run_tally=2
members:
Pri_VPN_to_HQ2
Sec_VPN_to_HQ2
HQ1 # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 10.1.10.2, wan1
[10/0] via 10.1.20.2, wan2, [20/0]
C 10.1.10.0/24 is directly connected, wan1
C 10.1.20.0/24 is directly connected, wan2
C 10.5.48.0/20 is directly connected, internal
C 192.168.1.0/24 is directly connected, dmz
S 192.168.2.0/24 [10/0] is directly connected, Agg_VPN_to_HQ2
HQ2 - Troubleshooting:
HQ2 # diagnose vpn ike gateway list
vd: root/0
name: Pri_VPN_to_HQ1
version: 1
interface: port1 28
addr: 10.2.10.1:500 -> 10.1.10.1:500
created: 108395s ago
IKE SA: created 1/2 established 1/2 time 10/4510/9010 ms
IPsec SA: created 1/3 established 1/3 time 0/1666/5000 ms
id/spi: 2 9cd94443291f1799/45c270159d9292f4
direction: initiator
status: established 22286-22286s ago = 10ms
proposal: aes128-sha256
key: ad5bdc4137ab2d22-4441a07aec337523
lifetime/rekey: 86400/63813
DPD sent/recv: 00000005/00000001
vd: root/0
name: Sec_VPN_to_HQ1
version: 1
interface: port2 29
addr: 10.2.20.1:500 -> 10.1.20.1:500
created: 108395s ago
IKE SA: created 1/2 established 1/2 time 20/4520/9020 ms
IPsec SA: created 1/3 established 1/3 time 10/1676/5010 ms
id/spi: 3 a623876082a99160/c29769d7e0935841
direction: initiator
status: established 22286-22286s ago = 20ms
proposal: aes128-sha256
key: 5ad22a32518eef32-967c50b0b815952c
lifetime/rekey: 86400/63813
DPD sent/recv: 00000004/00000002
HQ2 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Sec_VPN_to_HQ1 ver=1 serial=2 10.2.20.1:0->10.1.20.1:0 dst_mtu=1500
bound_if=29 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc run_state=1 accept_traffic=1
proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0 ad=/0
stat: rxp=242 txp=280 rxb=140688 txb=222114
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=4
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Sec_VPN_to_HQ1 proto=0 sa=1 ref=3 serial=1 auto-negotiate
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=20301/0B replaywin=2048
seqno=10e esn=0 replaywin_lastseq=000000e8 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42897/43200
dec: spi=2bcfa774 esp=aes key=16 992ba031bb67176f1a2cf57bdfc6daf2
ah=sha1 key=20 3afd65583f711724d017c88f1af141fcbd391ceb
enc: spi=d48305fd esp=aes key=16 da1defaa78ced22d8de340fa5cbd4943
ah=sha1 key=20 3d4eea53424ce79ebf6d1df45aa3f27a2e723f68
dec:pkts/bytes=231/124387, enc:pkts/bytes=269/239000
npu_flag=00 npu_rgwy=10.1.20.1 npu_lgwy=10.2.20.1 npu_selid=1 dec_npuid=0 enc_npuid=0
run_tally=0
------------------------------------------------------
name=Pri_VPN_to_HQ1 ver=1 serial=1 10.2.10.1:0->10.1.10.1:0 dst_mtu=1500
bound_if=28 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc run_state=1 accept_traffic=1
proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0 ad=/0
stat: rxp=241 txp=280 rxb=170872 txb=35344
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Pri_VPN_to_HQ1 proto=0 sa=1 ref=3 serial=1 auto-negotiate
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=20305/0B replaywin=2048
seqno=10f esn=0 replaywin_lastseq=000000e8 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42899/43200
dec: spi=2bcfa775 esp=aes key=16 1557831ab0b608e212795d5866c79037
ah=sha1 key=20 b97f12a3c555c8d03935340985002e75bd2d5f9a
enc: spi=d48305fe esp=aes key=16 e0630669d2d7703dba7282c35b49ebff
ah=sha1 key=20 ec7df8a7ed6f8a99db55dcd3f53de54733ffe39b
dec:pkts/bytes=231/154600, enc:pkts/bytes=270/52176
npu_flag=00 npu_rgwy=10.1.10.1 npu_lgwy=10.2.10.1 npu_selid=0 dec_npuid=0 enc_npuid=0
run_tally=0
HQ2 # diagnose sys ipsec-aggregate list
Agg_VPN_to_HQ1 algo=RR member=2 run_tally=2
members:
Pri_VPN_to_HQ1
Sec_VPN_to_HQ1
HQ2 # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 10.2.10.2, port1
[10/0] via 10.2.20.2, port2, [20/0]
C 10.2.10.0/24 is directly connected, port1
C 10.2.20.0/24 is directly connected, port2
C 10.5.48.0/20 is directly connected, port17
C 10.99.10.0/24 is directly connected, port17
C 10.100.0.0/24 is directly connected, port2
S 192.168.1.0/24 [10/0] is directly connected, Agg_VPN_to_HQ1
C 192.168.2.0/24 is directly connected, port18
Related articles:
Technical Tip: 'set net-device' new route-based IPsec logic
Technical Tip: How to create aggregate IPsec tunnel with GUI
Technical Tip: How to aggregate tunnel interfaces