FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tahmadov
Staff
Staff
Description
This article explains the use of Ipsec aggregate for redundancy and traffic load-balancing.
This feature is allowing to load-balance traffic and set up redundancy on multiple site-to-site IPsec VPNs.
L3, L4, round-robin and redundant load balancing algorithms are supported.

L3                   : Use layer 3 address for distribution.

L4                   : Use layer 4 information for distribution.
round-robin          : Per-packet round-robin distribution.
Redundant            : Use first tunnel that is up for all traffic.


Solution
Configuration of FortiGates using CLI:


Here is the Step by Step guide:

HQ1 – System Interface and Static Route Configuration:
# config system interface
    edit "wan1"
        set ip 10.1.10.1 255.255.255.0
    next
    edit "wan2"
        set ip 10.1.20.1 255.255.255.0
    next
end

# config router static
    edit 1
        set gateway 10.1.10.2
        set device "wan1"
    next
    edit 2
        set gateway 10.1.20.2
        set device "wan2"
        set priority 20
    next
end
HQ2 – System Interface and Static Route Configuration:
# config system interface
    edit "port1"
        set ip 10.2.10.1 255.255.255.0
    next
    edit "port2"
        set ip 10.2.20.1 255.255.255.0
    next
end

# config router static
    edit 1
        set gateway 10.2.10.2
        set device "port1"
    next
    edit 2
        set gateway 10.2.20.2
        set device "port2"
        set priority 20
    next
end
HQ1 – IPSec VPN Configuration:
# config vpn ipsec phase1-interface
    edit "Pri_VPN_to_HQ2"
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.2.10.1
        set psksecret sharedKey1!
        set aggregate-member enable
    next
    edit "Sec_VPN_to_HQ2"
        set interface "wan2"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.2.20.1
        set psksecret sharedKey2!
        set aggregate-member enable
    next
end

# config vpn ipsec phase2-interface
    edit "Pri_VPN_to_HQ2"
        set phase1name "Pri_VPN_to_HQ2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
    edit "Sec_VPN_to_HQ2"
        set phase1name "Sec_VPN_to_HQ2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
end

# config system ipsec-aggregate

    edit "Agg_VPN_to_HQ2"
        set member "Pri_VPN_to_HQ2" "Sec_VPN_to_HQ2"
    next

HQ2 - IPSec VPN Configuration:
# config vpn ipsec phase1-interface
    edit "Pri_VPN_to_HQ1"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.1.10.1
        set psksecret sharedKey1!
        set aggregate-member enable
    next
    edit "Sec_VPN_to_HQ1"
        set interface "port2"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.1.20.1
        set psksecret sharedKey2!
        set aggregate-member enable
    next
end

# config vpn ipsec phase2-interface
    edit "Pri_VPN_to_HQ1"
        set phase1name "Pri_VPN_to_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
    edit "Sec_VPN_to_HQ1"
        set phase1name "Sec_VPN_to_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
end

# config system ipsec-aggregate

    edit "Agg_VPN_to_HQ1"
        set member "Pri_VPN_to_HQ1" "Sec_VPN_to_HQ1"
    next
end

Useful link: Check the field "Related Articles"

TROUBLESHOOTING:

HQ1 - Troubleshooting:
HQ1 # diagnose vpn ike gateway list

vd: root/0
name: Sec_VPN_to_HQ2
version: 1
interface: wan2 8
addr: 10.1.20.1:500 -> 10.2.20.1:500
created: 433554s ago
IKE SA: created 1/7  established 1/7  time 0/11/20 ms
IPsec SA: created 1/11  established 2/12  time 10/10/20 ms

  id/spi: 13 a623876082a99160/c29769d7e0935841
  direction: responder
  status: established 22269-22269s ago = 20ms
  proposal: aes128-sha256
  key: 5ad22a32518eef32-967c50b0b815952c
  lifetime/rekey: 86400/63860
  DPD sent/recv: 00000002/00000004

vd: root/0
name: Pri_VPN_to_HQ2
version: 1
interface: wan1 7
addr: 10.1.10.1:500 -> 10.2.10.1:500
created: 433554s ago
IKE SA: created 1/7  established 1/7  time 0/7/20 ms
IPsec SA: created 1/11  established 2/12  time 0/3/20 ms

  id/spi: 12 9cd94443291f1799/45c270159d9292f4
  direction: responder
  status: established 22269-22269s ago = 10ms
  proposal: aes128-sha256
  key: ad5bdc4137ab2d22-4441a07aec337523
  lifetime/rekey: 86400/63860
  DPD sent/recv: 00000001/00000005
HQ1 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Sec_VPN_to_HQ2 ver=1 serial=4 10.1.20.1:0->10.2.20.1:0 dst_mtu=1500
bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=1 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0 ad=/0
stat: rxp=277 txp=239 rxb=235832 txb=124543
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Sec_VPN_to_HQ2 proto=0 sa=1 ref=2 serial=3 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=18203 type=00 soft=0 mtu=1438 expire=20336/0B replaywin=2048
       seqno=e5 esn=0 replaywin_lastseq=0000010b itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42927/43200
  dec: spi=d48305fd esp=aes key=16 da1defaa78ced22d8de340fa5cbd4943
       ah=sha1 key=20 3d4eea53424ce79ebf6d1df45aa3f27a2e723f68
  enc: spi=2bcfa774 esp=aes key=16 992ba031bb67176f1a2cf57bdfc6daf2
       ah=sha1 key=20 3afd65583f711724d017c88f1af141fcbd391ceb
  dec:pkts/bytes=266/217170, enc:pkts/bytes=228/138672
run_tally=0
------------------------------------------------------
name=Pri_VPN_to_HQ2 ver=1 serial=3 10.1.10.1:0->10.2.10.1:0 dst_mtu=1500
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=1 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0 ad=/0
stat: rxp=277 txp=238 rxb=53064 txb=150916
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Pri_VPN_to_HQ2 proto=0 sa=1 ref=2 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=18203 type=00 soft=0 mtu=1438 expire=20343/0B replaywin=2048
       seqno=e5 esn=0 replaywin_lastseq=0000010c itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42932/43200
  dec: spi=d48305fe esp=aes key=16 e0630669d2d7703dba7282c35b49ebff
       ah=sha1 key=20 ec7df8a7ed6f8a99db55dcd3f53de54733ffe39b
  enc: spi=2bcfa775 esp=aes key=16 1557831ab0b608e212795d5866c79037
       ah=sha1 key=20 b97f12a3c555c8d03935340985002e75bd2d5f9a
  dec:pkts/bytes=267/34624, enc:pkts/bytes=228/165184
run_tally=0

HQ1 # diagnose sys ipsec-aggregate list
Agg_VPN_to_HQ2 algo=RR member=2 run_tally=2
members:
    Pri_VPN_to_HQ2
    Sec_VPN_to_HQ2


HQ1 # get router info routing-table  all


Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 10.1.10.2, wan1
                  [10/0] via 10.1.20.2, wan2, [20/0]
C       10.1.10.0/24 is directly connected, wan1
C       10.1.20.0/24 is directly connected, wan2
C       10.5.48.0/20 is directly connected, internal
C       192.168.1.0/24 is directly connected, dmz
S       192.168.2.0/24 [10/0] is directly connected, Agg_VPN_to_HQ2
HQ2 - Troubleshooting:
HQ2 # diagnose vpn ike gateway list

vd: root/0
name: Pri_VPN_to_HQ1
version: 1
interface: port1 28
addr: 10.2.10.1:500 -> 10.1.10.1:500
created: 108395s ago
IKE SA: created 1/2  established 1/2  time 10/4510/9010 ms
IPsec SA: created 1/3  established 1/3  time 0/1666/5000 ms

  id/spi: 2 9cd94443291f1799/45c270159d9292f4
  direction: initiator
  status: established 22286-22286s ago = 10ms
  proposal: aes128-sha256
  key: ad5bdc4137ab2d22-4441a07aec337523
  lifetime/rekey: 86400/63813
  DPD sent/recv: 00000005/00000001

vd: root/0
name: Sec_VPN_to_HQ1
version: 1
interface: port2 29
addr: 10.2.20.1:500 -> 10.1.20.1:500
created: 108395s ago
IKE SA: created 1/2  established 1/2  time 20/4520/9020 ms
IPsec SA: created 1/3  established 1/3  time 10/1676/5010 ms

  id/spi: 3 a623876082a99160/c29769d7e0935841
  direction: initiator
  status: established 22286-22286s ago = 20ms
  proposal: aes128-sha256
  key: 5ad22a32518eef32-967c50b0b815952c
  lifetime/rekey: 86400/63813
  DPD sent/recv: 00000004/00000002

HQ2 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Sec_VPN_to_HQ1 ver=1 serial=2 10.2.20.1:0->10.1.20.1:0 dst_mtu=1500
bound_if=29 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=1 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0 ad=/0
stat: rxp=242 txp=280 rxb=140688 txb=222114
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=4
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Sec_VPN_to_HQ1 proto=0 sa=1 ref=3 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=18227 type=00 soft=0 mtu=1438 expire=20301/0B replaywin=2048
       seqno=10e esn=0 replaywin_lastseq=000000e8 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42897/43200
  dec: spi=2bcfa774 esp=aes key=16 992ba031bb67176f1a2cf57bdfc6daf2
       ah=sha1 key=20 3afd65583f711724d017c88f1af141fcbd391ceb
  enc: spi=d48305fd esp=aes key=16 da1defaa78ced22d8de340fa5cbd4943
       ah=sha1 key=20 3d4eea53424ce79ebf6d1df45aa3f27a2e723f68
  dec:pkts/bytes=231/124387, enc:pkts/bytes=269/239000
  npu_flag=00 npu_rgwy=10.1.20.1 npu_lgwy=10.2.20.1 npu_selid=1 dec_npuid=0 enc_npuid=0
run_tally=0
------------------------------------------------------
name=Pri_VPN_to_HQ1 ver=1 serial=1 10.2.10.1:0->10.1.10.1:0 dst_mtu=1500
bound_if=28 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=1 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0 ad=/0
stat: rxp=241 txp=280 rxb=170872 txb=35344
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Pri_VPN_to_HQ1 proto=0 sa=1 ref=3 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=18227 type=00 soft=0 mtu=1438 expire=20305/0B replaywin=2048
       seqno=10f esn=0 replaywin_lastseq=000000e8 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42899/43200
  dec: spi=2bcfa775 esp=aes key=16 1557831ab0b608e212795d5866c79037
       ah=sha1 key=20 b97f12a3c555c8d03935340985002e75bd2d5f9a
  enc: spi=d48305fe esp=aes key=16 e0630669d2d7703dba7282c35b49ebff
       ah=sha1 key=20 ec7df8a7ed6f8a99db55dcd3f53de54733ffe39b
  dec:pkts/bytes=231/154600, enc:pkts/bytes=270/52176
  npu_flag=00 npu_rgwy=10.1.10.1 npu_lgwy=10.2.10.1 npu_selid=0 dec_npuid=0 enc_npuid=0
run_tally=0

HQ2 # diagnose sys ipsec-aggregate list
Agg_VPN_to_HQ1 algo=RR member=2 run_tally=2
members:
    Pri_VPN_to_HQ1
    Sec_VPN_to_HQ1


HQ2 # get router info routing-table  all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 10.2.10.2, port1
                  [10/0] via 10.2.20.2, port2, [20/0]
C       10.2.10.0/24 is directly connected, port1
C       10.2.20.0/24 is directly connected, port2
C       10.5.48.0/20 is directly connected, port17
C       10.99.10.0/24 is directly connected, port17
C       10.100.0.0/24 is directly connected, port2
S       192.168.1.0/24 [10/0] is directly connected, Agg_VPN_to_HQ1
C       192.168.2.0/24 is directly connected, port18

Related Articles

Technical Tip: 'set net-device' new route-based IPsec logic

Contributors