Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Configuring IPSec VPN Aggregate

Hi Guys,


Attempt 1 - failed

I attempted to setup an IPSec VPN Aggregate interface but received the GUI message no members available.


Attempt 2 -failed

I navigated via cli to vpn ipsec phase1-interface and edited my 2 active IPSec VPN tunnel interfaces by vpn ipsec phase1-interface but received error "Currently in use"


Attempt 3 - Seems to work

I saved off the Fortigate 6.4 configuration,

via Notepad, I navigated to vpn ipsec phase1-interface section of the config, edited my 2 IPSec VPN Tunnel phase 1 sections and added set aggregate-member enable and saved changes.

I then Restored this modified configuration back into the Fortigate.

After the Fortigate reloaded, via GUI, I navigated to VPN, IPSec Tunnels and created a new IPSec Aggregate interface and added my two active and operational IPSec VPN Tunnels into the new aggregate interface.

I modified the Static routes and Policy and assigned a /30 net to the new aggregate interface.

I performed these same steps on the remote Fortigate as-well.



I tested traceroute from both ends, verified BGP peering was up, prefixes were received and access to both remote LANs were accessible.


My 2 Questions - While my VPN Agg procedures appears to be working as I would expect --- but notice some Fortigate changes seems to take a while to reveal themselves ---, Is this a valid method with preconfigured IPSec VPN Tunnels or will I run into issues later?


I also notice in the GUI, Network, Interfaces, - the Aggregate interface as-well-as the individual VPN Tunnels appear.

Thank you



VPN Agg.png



Thank You JimBo
Thank You JimBo
New Contributor II

Thanks for providing reference documentation. But Yes, we used the Fortigate documentation 6.4.x but unfortunately the documentation does not provide a complete reference to the final setup nor explains how to get the FortiGate to accept active in-use IPSec VPN Tunnels as selectable members into an VPN Aggregate configuration. We suspect the authors assume the reader will just delete active production configurations to follow the plan. Yikeeeeeesssss.


We are hoping someone will provide a screen shot of the GUI Network, Interfaces section showing the final WAN ISP links with Aggregate IPSec VPNs details.


Thank You JimBo
Thank You JimBo

Hi @JimBo


Yes, the documentation explains how to do it from scratch. If you want to add existing tunnels to an aggregate, you will need to remove all it's references first which is almost same or might even take more time than starting from scratch. Here are a screenshots. In the example below, SDWAN was not configured.  aggregate.PNG



New Contributor II


Your sample screen shots only show the Aggregate interface [and not the IPSec VPN tunnels] - I guess this is the correct GUI output but since your aggregate is red -meaning down- I'm not sure this is actually valid. Could you provide the CLI related to the setup?


Thank you again, Much appreciated.


Thank You JimBo
Thank You JimBo

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors