I attempted to setup an IPSec VPN Aggregate interface but received the GUI message no members available.
Attempt 2 -failed
I navigated via cli to vpn ipsec phase1-interface and edited my 2 active IPSec VPN tunnel interfaces by vpn ipsec phase1-interface but received error "Currently in use"
Attempt 3 - Seems to work
I saved off the Fortigate 6.4 configuration,
via Notepad, I navigated to vpn ipsec phase1-interface section of the config, edited my 2 IPSec VPN Tunnel phase 1 sections and added set aggregate-member enable and saved changes.
I then Restored this modified configuration back into the Fortigate.
After the Fortigate reloaded, via GUI, I navigated to VPN, IPSec Tunnels and created a new IPSec Aggregate interface and added my two active and operational IPSec VPN Tunnels into the new aggregate interface.
I modified the Static routes and Policy and assigned a /30 net to the new aggregate interface.
I performed these same steps on the remote Fortigate as-well.
I tested traceroute from both ends, verified BGP peering was up, prefixes were received and access to both remote LANs were accessible.
My 2 Questions - While my VPN Agg procedures appears to be working as I would expect --- but notice some Fortigate changes seems to take a while to reveal themselves ---, Is this a valid method with preconfigured IPSec VPN Tunnels or will I run into issues later?
I also notice in the GUI, Network, Interfaces, - the Aggregate interface as-well-as the individual VPN Tunnels appear.
Thanks for providing reference documentation. But Yes, we used the Fortigate documentation 6.4.x but unfortunately the documentation does not provide a complete reference to the final setup nor explains how to get the FortiGate to accept active in-use IPSec VPN Tunnels as selectable members into an VPN Aggregate configuration. We suspect the authors assume the reader will just delete active production configurations to follow the plan. Yikeeeeeesssss.
We are hoping someone will provide a screen shot of the GUI Network, Interfaces section showing the final WAN ISP links with Aggregate IPSec VPNs details.
Yes, the documentation explains how to do it from scratch. If you want to add existing tunnels to an aggregate, you will need to remove all it's references first which is almost same or might even take more time than starting from scratch. Here are a screenshots. In the example below, SDWAN was not configured.
Your sample screen shots only show the Aggregate interface [and not the IPSec VPN tunnels] - I guess this is the correct GUI output but since your aggregate is red -meaning down- I'm not sure this is actually valid. Could you provide the CLI related to the setup?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.