FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article shows the a new option on FortiOS 6.2, that represent multiple IPsec tunnels as a single interface.
Solution With this feature, create a static aggregate interface using IPsec tunnels as members, with traffic load balanced between the members. An IP address can be assigned to the aggregate interface, dynamic routing can run on the interface, and the interface can be a member interface in SD-WAN. The supported load balancing algorithms are: L3, L4, round-robin (default), and redundant.
1) Create a site to site VPN phase1 interface with net-device disabled:
# config vpn ipsec phase1-interface edit tunnel1 set interface port1 set net-device disable set remote-ge 172.16.100.1 set psksecret sample next edit tunnel2 set interface port2 set net-device disable set remote-ge 172.31.1.1 set psksecret sample next end
2) Configure IPsec aggregation:
# config system ipsec-aggregate edit agg1 set member tunnel1 tunnel2 next end
3) Configure a firewall policy:
# config firewall policy edit 0 set srcaddr all set srcintf port10 set dstaddr all set dstintf agg1 set schedule always set action accept set service ALL next end
4) Configure a static route:
# config router static edit 0 set device agg1 next end