Packet Distribution and Redundancy for Aggregate IPsec Tunnels Configuration
Introduction
In today's complex network environments, ensuring data traffic flows efficiently and reliably between multiple sites is crucial. One practical approach to achieve this is by leveraging FortiGate's aggregate IPsec tunnels, which provide redundancy and load-balancing capabilities for VPN connections. This blog post will guide you through configuring packet distribution and redundancy for aggregate IPsec tunnels on a FortiGate appliance.
Configuration Requirements
Before diving into the configuration steps, ensure that your FortiGate system is set up and accessible. You will need two WAN interfaces on each FortiGate device connected to different ISPs. Additionally, OSPF (Open Shortest Path First) should be enabled to manage dynamic routing over the IPsec aggregates.
Supported Load Balancing Algorithms
FortiGate supports several load balancing algorithms for IPsec aggregates:
- L3 and L4: Load balancing based on Layer 3 and Layer 4 headers.
- Round-robin (default): Distributes packets evenly across tunnels.
- Weighted round-robin: Allows setting weights for individual tunnels, providing more control over traffic distribution.
- Redundant: Uses the first active tunnel for all traffic, providing failover redundancy.
Configuring the HQ1 FortiGate
- Create the IPsec Tunnels
Go to VPN > IPsec Wizard and select the Custom template. For Name, enter pri_HQ2 and click Next. Enter the following details:
Phase 1 IP Address 172.16.202.1
Interface port1
Device creation Disabled
Aggregate member Enabled
Authentication Method Pre-shared Key
Pre-shared Key Enter the secure key
IKE Mode Aggressive
Peer Options Accept Types Any peer ID
Phase 2 Auto-negotiate Enable
Create another tunnel named sec_HQ2 with a different interface and IP address. - Create the IPsec Aggregate
Go to VPN > IPsec Tunnels and click Create New > IPsec Aggregate. Name it agg_HQ2 and select a load balancing algorithm. Add pri_HQ2 and sec_HQ2 as members and, if required, specify weights. Click OK. - Configure Firewall Policies
Go to Policy & Objects > Firewall Policy. Create inbound and outbound policies specifying
Interfaces: agg_HQ2, dmz
Source/Destination: 172.16.101.0/10.1.100.0
Action: ACCEPT
Service: ALL - Configure the Aggregate VPN Interface IPs
Go to Network > Interfaces, edit agg_HQ2. Set IP to 10.10.10.1 and Remote IP/Netmask to 10.10.10.2 255.255.255.255. Click OK. - Configure OSPF
Go to Network > OSPF, set Router ID to 1.1.1.1. Add areas and networks as per the configuration requirements.
Area ID: 0.0.0.0
Networks: 10.1.100.0/24, 10.10.10.0/24
Configuring the HQ2 FortiGate
Follow similar steps as for HQ1, but ensure to use the corresponding IP addresses and interfaces for HQ2, adjusting the Router ID to 2.2.2.2 and networks accordingly. This ensures both ends of the IPsec tunnels are correctly configured.
Monitoring Traffic
To monitor traffic, navigate to Dashboard > Network, hover over the IPsec widget, and click Expand to Full Screen. This allows viewing of aggregate member statistics, aiding in traffic management and troubleshooting.
Conclusion
By setting up aggregate IPsec tunnels with FortiGate, you enhance your network's reliability and efficiency through effective load balancing and redundancy. Follow the steps outlined in this guide to ensure a robust site-to-site IPsec VPN setup, leveraging FortiGate's powerful capabilities for managing and distributing network traffic.