FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sindre-FTNT
Staff
Staff
Description
This article shows the a new option on FortiOS 6.2, that represent multiple IPsec tunnels as a single interface.

Solution
With this feature, create a static aggregate interface using IPsec tunnels as members, with traffic load balanced between the members.
An IP address can be assigned to the aggregate interface, dynamic routing can run on the interface, and the interface can be a member interface in SD-WAN.

The supported load balancing algorithms are: L3, L4, round-robin (default), and redundant.


1)  Create a site to site VPN phase1 interface with net-device disabled:
# config vpn ipsec phase1-interface
edit tunnel1
set interface port1
set net-device disable
set remote-ge 172.16.100.1
set psksecret sample
next
edit tunnel2
set interface port2
set net-device disable
set remote-ge 172.31.1.1
set psksecret sample
next
end
2) Configure IPsec aggregation:
# config system ipsec-aggregate
edit agg1
set member tunnel1 tunnel2
next
end
3) Configure a firewall policy:
# config firewall policy
edit 0
set srcaddr all
set srcintf port10
set dstaddr all
set dstintf agg1
set schedule always
set action accept
set service ALL
next
end
4) Configure a static route:
# config router static
edit 0
set device agg1
next
end
To debug the IPsec aggregation list:
# diagnose sys ipsec-aggregate list
    agg1 algo=RR member=2 run_tally=2
    members:
        tunnel1
        tunnel2

Contributors