Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dkirchhoff-BE
New Contributor

Created on ‎03-25-2025 11:22 AM

Redundant or Round-Robin VPN configuration

I'm trying to modify/enhance our user VPN experience.

While trying to add the FortiClient VPN to a Linux laptop, we could not see any of our configured IPsec tunnels.

Later found out that the Linux client is not compatible with any tunnels configured with IKE 1.

So, we will have to change to IKE 2.  (lesson learned... don't use the 'Wizard')

While asking these questions, I also asked how we could potentially create a Single tunnel that could access both of the IPsec VPN's on our 2 separate ISP circuits.

I was shown that I can add multiple VPN's to the VPN 'profile' in EMS

Now my questions are ...  is that all/enough?  Or do I also need to create a VPN 'Aggregate' on the FortiGate too ??

How does the FortiClient profile determine how an end user connection chooses the appropriate tunnel?

Round Robin by default ??

 

At least the 'Aggregate' configuration in the FortiGate allows me to choose between several methods.

Then at the FortiGate, how do I modify each tunnel to enable 'aggregate-member' ?  (lesson learned, don't use the wizard ?) so I can add VPN tunnels to an Aggregate.

 

Any help would be appreciated.

Labels:
96
0 Kudos
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎03-25-2025 11:58 AM

FortiClient can't connect to more than one VPN at a time. As far as I know you can configure auto-connect o one tunnel only.

AEK
AEK
89
dkirchhoff-BE
New Contributor
In response to AEK

Created on ‎03-26-2025 05:58 AM Edited on ‎03-26-2025 06:07 AM

Yes, I understand that.  What I'm trying to do is make 2 VPN tunnels available to users without them having to manually select one.  As you know, most users are ~lazy and just select the first choice (VPN1) and therefore, most of the connected FortiClient traffic is on that first VPN.  Then I get complaints that the performance is poor....  well, why don't you choose the other one... 'what other one' is the response....

I'm trying to make this ~easy so that both VPN tunnels get some traffic and try to balance.

 

So, is that better achieved by creating a IPsec Aggregate at the FortiGate, or simply putting both VPN's in the 'remote gateway' field of the 'Basic Settings' of the VPN tunnel profile on the EMS server ?

 

OR... leveraging the SDWAN configuration of the 2 Internet circuits at the FortiGate ??

48
0 Kudos
AEK
SuperUser
SuperUser
In response to dkirchhoff-BE

Created on ‎03-26-2025 06:06 AM

In that case I think you can define one public DNS A record with two IP addresses, and the DNS will do the load balancing job for you. I mean this DNS record should lead to approximately 50% on the first VPN and 50% on the second.

AEK
AEK
44
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.