Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
justin_zhan
New Contributor

Created on ‎06-07-2025 02:16 AM

Tunnel Aggregation Dial-up VPN

IPsec Aggregate.png

SPOKE Endpoint:
Has two WAN links (wan1 and wan2) with private IP addresses, requiring NAT traversal.
HUB Endpoint:
Has a single WAN link with a public IP address, no NAT traversal required.
Type: "dynamic Dialup user" (Dynamic PPPoE Connection).
Tunnel Aggregation Requirement:
Merge the two existing IPsec tunnels (from SPOKE to HUB) into a single "IPsec Aggregate" tunnel.

 

The Spoke can only have one tunnel established online at the same time and cannot have two tunnels established online simultaneously.
May I ask what method can be used to establish them simultaneously and complete the tunnel aggregation?

spoke_hub.png

 

spoke config:

config vpn ipsec phase1-interface
edit "spoke_test1"
set interface "lan3"
set ike-version 2
set peertype any
set net-device disable
set aggregate-member enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set localid "88"
set dpd on-idle
set network-overlay enable
set network-id 88
set remote-gw hub address-xxxxx
set psksecret XXXXXXX
set dpd-retryinterval 60
next
edit "spoke2_test2"
set interface "wan"
set ike-version 2
set peertype any
set net-device disable
set aggregate-member enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set localid "99"
set dpd on-idle
set nattraversal disable
set network-overlay enable
set network-id 99
set remote-gw hub address-xxxxx
set psksecret XXXXXXXXXXXX
set dpd-retryinterval 60
next
end

config vpn ipsec phase2-interface
edit "spoke_test1"
set phase1name "spoke_test1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
edit "spoke2_test2"
set phase1name "spoke2_test2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
end

 

 

HUB config:

config vpn ipsec phase1-interface
edit "hub1_test"
set type dynamic
set interface "v707_3003"
set ike-version 2
set peertype any
set net-device enable
set aggregate-member enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set localid "88"
set dpd on-idle
set nattraversal disable
set network-overlay enable
set network-id 88
set psksecret XXXXXXXXXX
set dpd-retryinterval 60
next
end


config vpn ipsec phase1-interface
edit "hub2_test"
set type dynamic
set interface "v707_3003"
set ike-version 2
set peertype any
set net-device enable
set aggregate-member enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set localid "99"
set dpd on-idle
set nattraversal disable
set network-overlay enable
set network-id 99
set psksecret XXXXXX
set dpd-retryinterval 60
next
end


config vpn ipsec phase2-interface
edit "hub1_test"
set phase1name "hub1_test"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set keepalive enable
next
end


config vpn ipsec phase2-interface
edit "hub2_test"
set phase1name "hub2_test"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set keepalive enable
next
end

Labels:
358
0 Kudos
5 REPLIES 5
Stephen_G
Moderator
Moderator

Created on ‎06-09-2025 01:00 PM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

If anyone has any advice to contribute, please do!


Thanks,

Stephen - Fortinet Community Team
291
Stephen_G
Moderator
Moderator

Created on ‎06-13-2025 04:10 AM

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks

Stephen - Fortinet Community Team
250
AEK
SuperUser
SuperUser

Created on ‎06-13-2025 04:23 AM

Hi Justin

Do you mean if tunnel1 goes down then tunnel2 can come up?

By the way I have a suggestion if it can help. I didn't use IPsec aggregate, which is old and very limited, but I used SD-WAN for IPsec and I can tell you that it is 100 times better.

AEK
AEK
243
justin_zhan
New Contributor
In response to AEK

Created on ‎06-13-2025 06:38 AM

Hi AEK

 

1. First, I need to implement two WAN links. For example, one is 5 Mbps and the other is also 5 Mbps. 5 + 5 = 10, which means a VPN for two endpoints. If transferring FTP files, the speed can reach 10 Mbps instead of being limited to the single maximum bandwidth of 5 Mbps.
2. Can SD - WAN achieve active - active load balancing instead of active - standby?

  

                                                                                   Thank you for your support and answers.

 

223
0 Kudos
AEK
SuperUser
SuperUser
In response to justin_zhan

Created on ‎06-15-2025 02:31 AM

Hi Justin

Sure, SD-WAN can do that and many other amazing thing, either managing your WAN links or your IPsec links.

You can start here:

https://docs.fortinet.com/document/fortigate/7.4.8/administration-guide/19246/sd-wan

AEK
AEK
168
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.