Hi Guys,
Attempt 1 - failed
I attempted to setup an IPSec VPN Aggregate interface but received the GUI message no members available.
Attempt 2 -failed
I navigated via cli to vpn ipsec phase1-interface and edited my 2 active IPSec VPN tunnel interfaces by vpn ipsec phase1-interface but received error "Currently in use"
Attempt 3 - Seems to work
I saved off the Fortigate 6.4 configuration,
via Notepad, I navigated to vpn ipsec phase1-interface section of the config, edited my 2 IPSec VPN Tunnel phase 1 sections and added set aggregate-member enable and saved changes.
I then Restored this modified configuration back into the Fortigate.
After the Fortigate reloaded, via GUI, I navigated to VPN, IPSec Tunnels and created a new IPSec Aggregate interface and added my two active and operational IPSec VPN Tunnels into the new aggregate interface.
I modified the Static routes and Policy and assigned a /30 net to the new aggregate interface.
I performed these same steps on the remote Fortigate as-well.
:
TESTING
I tested traceroute from both ends, verified BGP peering was up, prefixes were received and access to both remote LANs were accessible.
My 2 Questions - While my VPN Agg procedures appears to be working as I would expect --- but notice some Fortigate changes seems to take a while to reveal themselves ---, Is this a valid method with preconfigured IPSec VPN Tunnels or will I run into issues later?
I also notice in the GUI, Network, Interfaces, - the Aggregate interface as-well-as the individual VPN Tunnels appear.
Thank you
Hi @JimBo,
Yes, the documentation explains how to do it from scratch. If you want to add existing tunnels to an aggregate, you will need to remove all it's references first which is almost same or might even take more time than starting from scratch. Here are a screenshots. In the example below, SDWAN was not configured.
