Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JimBo
New Contributor II

Configuring IPSec VPN Aggregate

Hi Guys,

 

Attempt 1 - failed

I attempted to setup an IPSec VPN Aggregate interface but received the GUI message no members available.

 

Attempt 2 -failed

I navigated via cli to vpn ipsec phase1-interface and edited my 2 active IPSec VPN tunnel interfaces by vpn ipsec phase1-interface but received error "Currently in use"

 

Attempt 3 - Seems to work

I saved off the Fortigate 6.4 configuration,

via Notepad, I navigated to vpn ipsec phase1-interface section of the config, edited my 2 IPSec VPN Tunnel phase 1 sections and added set aggregate-member enable and saved changes.

I then Restored this modified configuration back into the Fortigate.

After the Fortigate reloaded, via GUI, I navigated to VPN, IPSec Tunnels and created a new IPSec Aggregate interface and added my two active and operational IPSec VPN Tunnels into the new aggregate interface.

I modified the Static routes and Policy and assigned a /30 net to the new aggregate interface.

I performed these same steps on the remote Fortigate as-well.

:

TESTING

I tested traceroute from both ends, verified BGP peering was up, prefixes were received and access to both remote LANs were accessible.

 

My 2 Questions - While my VPN Agg procedures appears to be working as I would expect --- but notice some Fortigate changes seems to take a while to reveal themselves ---, Is this a valid method with preconfigured IPSec VPN Tunnels or will I run into issues later?

 

I also notice in the GUI, Network, Interfaces, - the Aggregate interface as-well-as the individual VPN Tunnels appear.

Thank you

 

 

VPN Agg.png

 

 

 
 
Thank You JimBo
Thank You JimBo
4 REPLIES 4
hbac
Staff
Staff
JimBo
New Contributor II

Thanks for providing reference documentation. But Yes, we used the Fortigate documentation 6.4.x but unfortunately the documentation does not provide a complete reference to the final setup nor explains how to get the FortiGate to accept active in-use IPSec VPN Tunnels as selectable members into an VPN Aggregate configuration. We suspect the authors assume the reader will just delete active production configurations to follow the plan. Yikeeeeeesssss.

 

We are hoping someone will provide a screen shot of the GUI Network, Interfaces section showing the final WAN ISP links with Aggregate IPSec VPNs details.

Thanks

Thank You JimBo
Thank You JimBo
hbac

Hi @JimBo

 

Yes, the documentation explains how to do it from scratch. If you want to add existing tunnels to an aggregate, you will need to remove all it's references first which is almost same or might even take more time than starting from scratch. Here are a screenshots. In the example below, SDWAN was not configured.  aggregate.PNG

 

network.PNG

JimBo
New Contributor II

THANK YOU

Your sample screen shots only show the Aggregate interface [and not the IPSec VPN tunnels] - I guess this is the correct GUI output but since your aggregate is red -meaning down- I'm not sure this is actually valid. Could you provide the CLI related to the setup?

 

Thank you again, Much appreciated.

Jim

Thank You JimBo
Thank You JimBo
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors