FortiGate Site to Site IPsec Aggregate Tunnel

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Welcome to our tutorial on how to aggregate two site-to-site ipsec vpns between two fortigate firewalls as shown on the network diagram both locations have two isps what we intend to do is to set up two ipsec VPN tunnels between site a and site B each VPN tunnel using a different ISP connection we will then aggregate the two VPN tunnels into one an ipsec aggregate interface can be used to achieve redundancy and traffic load balancing between two or more VPN tunnels now let's proceed with our configuration checking for end-to-end connectivity via each ISP we will start with the ipsec VPN tunnel configuration on fortigate a enter a name for the VPN enter the remote Gateway IP let's reduce the dead peer detection retry interval to 5 Seconds dead peer detection is the method to detect the aliveness of an ipsec connection now under Advanced set the VPN tunnel as an aggregate member enter the pre-shared key we will use Ike version 2. choose the required Phase 1 proposals we do not recommend the use of Des and sha-1 in a production environment enter the local and remote addresses for the encryption domain from our Network diagram they are the networks behind the 240 Gates optionally enable auto negotiate we will repeat the same steps for the configuration of the second VPN tunnel via isp2 now let's create the aggregate tunnel with the two ipsec VPN tunnels as members for the aggregate tunnel interface we will use the Redundant load balancing algorithm with this algorithm the first tunnel member that is up is used for all traffic when that member fails traffic is switched over to the next available member next is static routes the outgoing interface will be the aggregate tunnel interface the purpose of the black hole route is to ensure that when the ipsec aggregate tunnel is down traffic to the remote end is silently dropped instead of using a default route on the fortigate finally on fortigate a let's create two firewall policies one for inbound traffic and the other for outgoing traffic disable net in the firewall policies now let's complete the configuration on fortigate B the aggregate tunnel along with both member ipsec tunnels are all up testing connectivity via the aggregate tunnel let's ping 10.1.1.1 sourcing from 10.2.2.1 the tunnel via isp2 is currently the one passing traffic between the two locations checking some VPN details let me bring down the tunnel currently passing traffic and see what happens that is the tunnel via isp2 I will shut down the Juan interfaces connecting to isp2 on both 40 Gates since the dead peer detection retry count was set to 3 and the interval was set to 5 Seconds the tunnel will be declared down after 15 seconds the second tunnel is down and now the first one has started passing traffic congratulations we have successfully configured an ipsec aggregate tunnel between 240 Gates thanks for watching our tutorial if you have any questions or need further assistance please feel free to leave a comment below don't forget to subscribe to our channel for more helpful tutorials see you next time

Info

Channel: Verifine Academy

Views: 3,064

Rating: undefined out of 5

Keywords: FortiGate, IPsec VPN, FortiGate IPsec, FortiGate IPsec Loopback, IPsec with Loopback Interface, Site-to-Site IPsec Loopback Interface, FortiGate Site-to-Site VPN, FortiGate IPsec VPN, Site-to-Site VPN with Loopback, IPsec VPN with Loopback

Id: y7vJZ10dZCQ

Channel Id: undefined

Length: 14min 38sec (878 seconds)

Published: Mon May 15 2023