Description
This article shows the a new option on FortiOS 6.2, that represent multiple IPsec tunnels as a single interface.
Solution
With this feature, create a static aggregate interface using IPsec tunnels as members, with traffic load balanced between the members.
An IP address can be assigned to the aggregate interface, dynamic routing can run on the interface, and the interface can be a member interface in SD-WAN.
The supported load balancing algorithms are: L3, L4, round-robin (default), and redundant.
This article shows the a new option on FortiOS 6.2, that represent multiple IPsec tunnels as a single interface.
Solution
With this feature, create a static aggregate interface using IPsec tunnels as members, with traffic load balanced between the members.
An IP address can be assigned to the aggregate interface, dynamic routing can run on the interface, and the interface can be a member interface in SD-WAN.
The supported load balancing algorithms are: L3, L4, round-robin (default), and redundant.
1) Create a site to site VPN phase1 interface with net-device disabled:
# config vpn ipsec phase1-interface2) Configure IPsec aggregation:
edit tunnel1
set interface port1
set net-device disable
set remote-ge 172.16.100.1
set psksecret sample
next
edit tunnel2
set interface port2
set net-device disable
set remote-ge 172.31.1.1
set psksecret sample
next
end
# config system ipsec-aggregate3) Configure a firewall policy:
edit agg1
set member tunnel1 tunnel2
next
end
# config firewall policy4) Configure a static route:
edit 0
set srcaddr all
set srcintf port10
set dstaddr all
set dstintf agg1
set schedule always
set action accept
set service ALL
next
end
# config router staticTo debug the IPsec aggregation list:
edit 0
set device agg1
next
end
# diagnose sys ipsec-aggregate list
agg1 algo=RR member=2 run_tally=2
members:
tunnel1
tunnel2
