Description
This article describes how to aggregate tunnel members interfaces. Starting from 6.2.1, aggregate-member has to be enabled in the phase 1 IPsec Tunnel.
Solution
In the example below, two Phase1 interfaces have been created as pri_HQ1 and sec_HQ1. For both tunnels, the aggregate-member in the Phase 1 has been enabled.
# config vpn ipsec phase1-interface
edit "pri_HQ1"
set interface "port1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 172.16.202.1
set psksecret sample1
set aggregate-member enable
next
edit "sec_HQ1"
set interface "port2"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 172.17.202.1
set psksecret sample2
set aggregate-member enable
next
end
# config vpn ipsec phase2-interface
edit "pri_HQ1"
set phase1name "pri_HQ1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
edit "sec_HQ1"
set phase1name "sec_HQ1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
Now, the members in the aggregate should be added as below:
# config system ipsec-aggregate
edit AGGREGATE
set member pri_HQ1 sec_HQ1
end
