Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    6.2.5
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.0
    6.0.0
    5.6.0
    5.4.0

    IPsec aggregate for redundancy and traffic load-balancing

    IPsec aggregate for redundancy and traffic load-balancing

    This is a sample configuration of using IPsec aggregate to set up redundancy and traffic load-balancing. The the following options are available:

    • Multiple site-to-site IPsec VPN (net-device disable) tunnel interfaces as member of ipsec-aggregate.
    • The supported load balancing algorithms are: L3, L4, round-robin (default), and redundant.

    Because the GUI can only complete part of the configuration, we recommend using the CLI.

    To configure IPsec aggregate to achieve redundancy and traffic load-balancing using the CLI:
    1. Configure the WAN interface and static route. Each FortiGate has two WAN interfaces connected to different ISPs. The ISP1 link is for the primary FortiGate and the IPS2 link is for the secondary FortiGate.
      1. Configure HQ1.

        config system interface

        edit "port1"

        set alias to_ISP1

        set ip 172.16.200.1 255.255.255.0

        next

        edit "port2"

        set alias to_ISP2

        set ip 172.17.200.1 255.255.255.0

        next

        end

        config router static

        edit 1

        set gateway 172.16.200.3

        set device "port1"

        next

        edit 2

        set gateway 172.17.200.3

        set device "port2"

        set priority 100

        next

        end

      2. Configure HQ2.

        config system interface

        edit "port25"

        set alias to_ISP1

        set ip 172.16.202.1 255.255.255.0

        next

        edit "port26"

        set alias to_ISP2

        set ip 172.17.202.1 255.255.255.0

        next

        end

        config router static

        edit 1

        set gateway 172.16.202.2

        set device "port25"

        next

        edit 2

        set gateway 172.17.202.2

        set device "port26"

        set priority 100

        next

        end

    2. Configure the internal (protected subnet) interface.
      1. Configure HQ1.

        config system interface

        edit "dmz"

        set ip 10.1.100.1 255.255.255.0

        next

        end

      2. Configure HQ2.

        config system interface

        edit "port9"

        set ip 172.16.101.1 255.255.255.0

        next

        end

    3. Configure the IPsec phase-1 and phase-2 interfaces. On each FortiGate, configure two site-to-site phase-1 interfaces with net-device disable.
      1. Configure HQ1.

        config vpn ipsec phase1-interface

        edit "pri_HQ2"

        set interface "port1"

        set peertype any

        set net-device disable

        set aggregate-member enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set remote-gw 172.16.202.1

        set psksecret sample1

        next

        edit "sec_HQ2"

        set interface "port2"

        set peertype any

        set net-device disable

        set aggregate-member enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set remote-gw 172.17.202.1

        set psksecret sample2

        next

        end

        config vpn ipsec phase2-interface

        edit "pri_HQ2"

        set phase1name "pri_HQ2"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set auto-negotiate enable

        next

        edit "sec_HQ2"

        set phase1name "sec_HQ2"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set auto-negotiate enable

        next

        end

      2. Configure HQ2.

        config vpn ipsec phase1-interface

        edit "pri_HQ1"

        set interface "port25"

        set peertype any

        set net-device disable

        set aggregate-member enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set remote-gw 172.16.200.1

        set psksecret sample1

        next

        edit "sec_HQ1"

        set interface "port26"

        set peertype any

        set net-device disable

        set aggregate-member enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set remote-gw 172.17.200.1

        set psksecret sample2

        next

        end

        config vpn ipsec phase2-interface

        edit "pri_HQ1"

        set phase1name "pri_HQ1"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set auto-negotiate enable

        next

        edit "sec_HQ1"

        set phase1name "sec_HQ1"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set auto-negotiate enable

        next

        end

    4. Configure ipsec-aggregate.
      1. Configure HQ1.

        config system ipsec-aggregate

        edit "agg_HQ2"

        set member "pri_HQ2" "sec_HQ2"

        next

        end

      2. Configure HQ2.

        config system ipsec-aggregate

        edit "agg_HQ1"

        set member "pri_HQ" "sec_HQ1"

        next

        end

    5. Configure the firewall policy.
      1. Configure HQ1.

        config firewall policy

        edit 1

        set name "inbound"

        set srcintf "agg_HQ2"

        set dstintf "dmz"

        set srcaddr "172.16.101.0"

        set dstaddr "10.1.100.0"

        set action accept

        set schedule "always"

        set service "ALL"

        next

        edit 2

        set name "outbound"

        set srcintf "dmz"

        set dstintf "agg_HQ2"

        set srcaddr "10.1.100.0"

        set dstaddr "172.16.101.0"

        set action accept

        set schedule "always"

        set service "ALL"

        next

        end

      2. Configure HQ2.

        config firewall policy

        edit 1

        set name "inbound"

        set srcintf "agg_HQ1"

        set dstintf "port9"

        set srcaddr "10.1.100.0"

        set dstaddr "172.16.101.0"

        set action accept

        set schedule "always"

        set service "ALL"

        next

        edit 2

        set name "outbound"

        set srcintf "port9"

        set dstintf "agg_HQ1"

        set srcaddr "172.16.101.0"

        set dstaddr "10.1.100.0"

        set action accept

        set schedule "always"

        set service "ALL"

        next

        end

    6. Assign an IP address to the ipsec-aggregate interface. In this example, OSPF runs over the ipsec-aggregate interface. No IP address is required for the static route HQ1.
      1. Configure HQ1.

        config system interface

        edit "agg_HQ2"

        set ip 10.10.10.1 255.255.255.255

        set remote-ip 10.10.10.2 255.255.255.255

        next

        end

      2. Configure HQ2.

        config system interface

        edit "agg_HQ1"

        set ip 10.10.10.2 255.255.255.255

        set remote-ip 10.10.10.1 255.255.255.255

        next

        end

    7. Configure OSPF.
      1. Configure HQ1.

        config router ospf

        set router-id 1.1.1.1

        config area

        edit 0.0.0.0

        next

        end

        config network

        edit 1

        set prefix 10.1.100.0 255.255.255.0

        next

        edit 2

        set prefix 10.10.10.0 255.255.255.0

        next

        end

        end

      2. Configure HQ2.

        config router ospf

        set router-id 2.2.2.2

        config area

        edit 0.0.0.0

        next

        end

        config network

        edit 1

        set prefix 172.16.101.0 255.255.255.0

        next

        edit 2

        set prefix 10.10.10.0 255.255.255.0

        next

        end

        end

    8. Run diagnose commands.
      1. Run the diagnose vpn ike gateway list command. The system should return the following:

        vd: root/0

        name: pri_HQ2

        version: 1

        interface: port1 11

        addr: 172.16.200.1:500 -> 172.16.202.1:500

        created: 1520s ago

        IKE SA: created 1/2 established 1/1 time 10/10/10 ms

        IPsec SA: created 2/2 established 1/1 time 0/0/0 ms

        id/spi: 173 dcdede154681579b/e32f4c48c4349fc0 direction: responder status: established 1498-1498s ago = 10ms proposal: aes128-sha256 key: d7230a68d7b83def-588b94495cfa9d38 lifetime/rekey: 86400/84631 DPD sent/recv: 0000000d/00000006

        vd: root/0

        name: sec_HQ2

        version: 1

        interface: port2 12

        addr: 172.17.200.1:500 -> 172.17.202.1:500

        created: 1520s ago

        IKE SA: created 1/2 established 1/1 time 10/10/10 ms

        IPsec SA: created 2/2 established 1/1 time 0/0/0 ms

        id/spi: 174 a567bd7bf02a04b5/4251b6254660aee2 direction: responder status: established 1498-1498s ago = 10ms proposal: aes128-sha256 key: 9f44f500c28d8de6-febaae9d1e6a164c lifetime/rekey: 86400/84631 DPD sent/recv: 00000008/0000000c

      2. Run the diagnose vpn tunnel list command. The system should return the following:

        list all ipsec tunnel in vd 0

        name=sec_HQ2 ver=1 serial=2 172.17.200.1:0->172.17.202.1:0

        bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=1 accept_traffic=1

        proxyid_num=1 child_num=0 refcnt=7 ilast=5 olast=5 ad=/0

        stat: rxp=39 txp=40 rxb=5448 txb=2732

        dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=15

        natt: mode=none draft=0 interval=0 remote_port=0

        proxyid=sec_HQ2 proto=0 sa=1 ref=2 serial=2 auto-negotiate

        src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=41230/0B replaywin=2048

        seqno=29 esn=0 replaywin_lastseq=00000028 itn=0

        life: type=01 bytes=0/0 timeout=42899/43200 dec: spi=1071b4f9 esp=aes key=16 1f4dbb78bea8e97650b52d8170b5ece7

        ah=sha1 key=20 cd9bf2de0f49296cf489dd915d7baf6d78bc8f12

        enc: spi=ec89b7ee esp=aes key=16 0546efecd0d1b9ba5944f635896e4404

        ah=sha1 key=20 34599bc7dc25e1ce63ac9615bd50928ce0667dc8

        dec:pkts/bytes=39/2796, enc:pkts/bytes=40/5456

        name=pri_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

        bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=1 accept_traffic=1

        proxyid_num=1 child_num=0 refcnt=5 ilast=15 olast=15 ad=/0

        stat: rxp=38 txp=39 rxb=5152 txb=2768

        dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=20

        natt: mode=none draft=0 interval=0 remote_port=0

        proxyid=pri_HQ2 proto=0 sa=1 ref=2 serial=2 auto-negotiate

        src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=41231/0B replaywin=2048

        seqno=28 esn=0 replaywin_lastseq=00000027 itn=0

        life: type=01 bytes=0/0 timeout=42900/43200 dec: spi=1071b4f8 esp=aes key=16 142cce377b3432ba41e64128ade6848c

        ah=sha1 key=20 20e64947e2397123f561584321adc0e7aa0c342d

        enc: spi=ec89b7ed esp=aes key=16 2ec13622fd60dacce3d28ebe5fe7ab14

        ah=sha1 key=20 c1787497508a87f40c73c0db0e835c70b3c3f42d

        dec:pkts/bytes=38/2568, enc:pkts/bytes=39/5432

      3. Run the diagnose sys ipsec-aggregate list command. The system should return the following:

        agg_HQ2 algo=RR member=2 run_tally=2

        members:

        pri_HQ2

        sec_HQ2

      4. Run the get router info ospf neighbor command. The system should return the following:

        OSPF process 0, VRF 0:

        Neighbor ID Pri State Dead Time Address Interface

        2.2.2.2 1. Full/ - 00:00:34 10.10.10.2 agg1_HQ2

      5. Run the get router info routing-table ospf command. The system should return the following:

        Routing table for VRF=0

        O 172.16.101.0/24 [110/20] via 10.10.10.2, agg1_HQ2 , 00:18:43

    Previous
    Next

    IPsec aggregate for redundancy and traffic load-balancing

    IPsec aggregate for redundancy and traffic load-balancing

    This is a sample configuration of using IPsec aggregate to set up redundancy and traffic load-balancing. The the following options are available:

    • Multiple site-to-site IPsec VPN (net-device disable) tunnel interfaces as member of ipsec-aggregate.
    • The supported load balancing algorithms are: L3, L4, round-robin (default), and redundant.

    Because the GUI can only complete part of the configuration, we recommend using the CLI.

    To configure IPsec aggregate to achieve redundancy and traffic load-balancing using the CLI:
    1. Configure the WAN interface and static route. Each FortiGate has two WAN interfaces connected to different ISPs. The ISP1 link is for the primary FortiGate and the IPS2 link is for the secondary FortiGate.
      1. Configure HQ1.

        config system interface

        edit "port1"

        set alias to_ISP1

        set ip 172.16.200.1 255.255.255.0

        next

        edit "port2"

        set alias to_ISP2

        set ip 172.17.200.1 255.255.255.0

        next

        end

        config router static

        edit 1

        set gateway 172.16.200.3

        set device "port1"

        next

        edit 2

        set gateway 172.17.200.3

        set device "port2"

        set priority 100

        next

        end

      2. Configure HQ2.

        config system interface

        edit "port25"

        set alias to_ISP1

        set ip 172.16.202.1 255.255.255.0

        next

        edit "port26"

        set alias to_ISP2

        set ip 172.17.202.1 255.255.255.0

        next

        end

        config router static

        edit 1

        set gateway 172.16.202.2

        set device "port25"

        next

        edit 2

        set gateway 172.17.202.2

        set device "port26"

        set priority 100

        next

        end

    2. Configure the internal (protected subnet) interface.
      1. Configure HQ1.

        config system interface

        edit "dmz"

        set ip 10.1.100.1 255.255.255.0

        next

        end

      2. Configure HQ2.

        config system interface

        edit "port9"

        set ip 172.16.101.1 255.255.255.0

        next

        end

    3. Configure the IPsec phase-1 and phase-2 interfaces. On each FortiGate, configure two site-to-site phase-1 interfaces with net-device disable.
      1. Configure HQ1.

        config vpn ipsec phase1-interface

        edit "pri_HQ2"

        set interface "port1"

        set peertype any

        set net-device disable

        set aggregate-member enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set remote-gw 172.16.202.1

        set psksecret sample1

        next

        edit "sec_HQ2"

        set interface "port2"

        set peertype any

        set net-device disable

        set aggregate-member enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set remote-gw 172.17.202.1

        set psksecret sample2

        next

        end

        config vpn ipsec phase2-interface

        edit "pri_HQ2"

        set phase1name "pri_HQ2"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set auto-negotiate enable

        next

        edit "sec_HQ2"

        set phase1name "sec_HQ2"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set auto-negotiate enable

        next

        end

      2. Configure HQ2.

        config vpn ipsec phase1-interface

        edit "pri_HQ1"

        set interface "port25"

        set peertype any

        set net-device disable

        set aggregate-member enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set remote-gw 172.16.200.1

        set psksecret sample1

        next

        edit "sec_HQ1"

        set interface "port26"

        set peertype any

        set net-device disable

        set aggregate-member enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set remote-gw 172.17.200.1

        set psksecret sample2

        next

        end

        config vpn ipsec phase2-interface

        edit "pri_HQ1"

        set phase1name "pri_HQ1"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set auto-negotiate enable

        next

        edit "sec_HQ1"

        set phase1name "sec_HQ1"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set auto-negotiate enable

        next

        end

    4. Configure ipsec-aggregate.
      1. Configure HQ1.

        config system ipsec-aggregate

        edit "agg_HQ2"

        set member "pri_HQ2" "sec_HQ2"

        next

        end

      2. Configure HQ2.

        config system ipsec-aggregate

        edit "agg_HQ1"

        set member "pri_HQ" "sec_HQ1"

        next

        end

    5. Configure the firewall policy.
      1. Configure HQ1.

        config firewall policy

        edit 1

        set name "inbound"

        set srcintf "agg_HQ2"

        set dstintf "dmz"

        set srcaddr "172.16.101.0"

        set dstaddr "10.1.100.0"

        set action accept

        set schedule "always"

        set service "ALL"

        next

        edit 2

        set name "outbound"

        set srcintf "dmz"

        set dstintf "agg_HQ2"

        set srcaddr "10.1.100.0"

        set dstaddr "172.16.101.0"

        set action accept

        set schedule "always"

        set service "ALL"

        next

        end

      2. Configure HQ2.

        config firewall policy

        edit 1

        set name "inbound"

        set srcintf "agg_HQ1"

        set dstintf "port9"

        set srcaddr "10.1.100.0"

        set dstaddr "172.16.101.0"

        set action accept

        set schedule "always"

        set service "ALL"

        next

        edit 2

        set name "outbound"

        set srcintf "port9"

        set dstintf "agg_HQ1"

        set srcaddr "172.16.101.0"

        set dstaddr "10.1.100.0"

        set action accept

        set schedule "always"

        set service "ALL"

        next

        end

    6. Assign an IP address to the ipsec-aggregate interface. In this example, OSPF runs over the ipsec-aggregate interface. No IP address is required for the static route HQ1.
      1. Configure HQ1.

        config system interface

        edit "agg_HQ2"

        set ip 10.10.10.1 255.255.255.255

        set remote-ip 10.10.10.2 255.255.255.255

        next

        end

      2. Configure HQ2.

        config system interface

        edit "agg_HQ1"

        set ip 10.10.10.2 255.255.255.255

        set remote-ip 10.10.10.1 255.255.255.255

        next

        end

    7. Configure OSPF.
      1. Configure HQ1.

        config router ospf

        set router-id 1.1.1.1

        config area

        edit 0.0.0.0

        next

        end

        config network

        edit 1

        set prefix 10.1.100.0 255.255.255.0

        next

        edit 2

        set prefix 10.10.10.0 255.255.255.0

        next

        end

        end

      2. Configure HQ2.

        config router ospf

        set router-id 2.2.2.2

        config area

        edit 0.0.0.0

        next

        end

        config network

        edit 1

        set prefix 172.16.101.0 255.255.255.0

        next

        edit 2

        set prefix 10.10.10.0 255.255.255.0

        next

        end

        end

    8. Run diagnose commands.
      1. Run the diagnose vpn ike gateway list command. The system should return the following:

        vd: root/0

        name: pri_HQ2

        version: 1

        interface: port1 11

        addr: 172.16.200.1:500 -> 172.16.202.1:500

        created: 1520s ago

        IKE SA: created 1/2 established 1/1 time 10/10/10 ms

        IPsec SA: created 2/2 established 1/1 time 0/0/0 ms

        id/spi: 173 dcdede154681579b/e32f4c48c4349fc0 direction: responder status: established 1498-1498s ago = 10ms proposal: aes128-sha256 key: d7230a68d7b83def-588b94495cfa9d38 lifetime/rekey: 86400/84631 DPD sent/recv: 0000000d/00000006

        vd: root/0

        name: sec_HQ2

        version: 1

        interface: port2 12

        addr: 172.17.200.1:500 -> 172.17.202.1:500

        created: 1520s ago

        IKE SA: created 1/2 established 1/1 time 10/10/10 ms

        IPsec SA: created 2/2 established 1/1 time 0/0/0 ms

        id/spi: 174 a567bd7bf02a04b5/4251b6254660aee2 direction: responder status: established 1498-1498s ago = 10ms proposal: aes128-sha256 key: 9f44f500c28d8de6-febaae9d1e6a164c lifetime/rekey: 86400/84631 DPD sent/recv: 00000008/0000000c

      2. Run the diagnose vpn tunnel list command. The system should return the following:

        list all ipsec tunnel in vd 0

        name=sec_HQ2 ver=1 serial=2 172.17.200.1:0->172.17.202.1:0

        bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=1 accept_traffic=1

        proxyid_num=1 child_num=0 refcnt=7 ilast=5 olast=5 ad=/0

        stat: rxp=39 txp=40 rxb=5448 txb=2732

        dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=15

        natt: mode=none draft=0 interval=0 remote_port=0

        proxyid=sec_HQ2 proto=0 sa=1 ref=2 serial=2 auto-negotiate

        src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=41230/0B replaywin=2048

        seqno=29 esn=0 replaywin_lastseq=00000028 itn=0

        life: type=01 bytes=0/0 timeout=42899/43200 dec: spi=1071b4f9 esp=aes key=16 1f4dbb78bea8e97650b52d8170b5ece7

        ah=sha1 key=20 cd9bf2de0f49296cf489dd915d7baf6d78bc8f12

        enc: spi=ec89b7ee esp=aes key=16 0546efecd0d1b9ba5944f635896e4404

        ah=sha1 key=20 34599bc7dc25e1ce63ac9615bd50928ce0667dc8

        dec:pkts/bytes=39/2796, enc:pkts/bytes=40/5456

        name=pri_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

        bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=1 accept_traffic=1

        proxyid_num=1 child_num=0 refcnt=5 ilast=15 olast=15 ad=/0

        stat: rxp=38 txp=39 rxb=5152 txb=2768

        dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=20

        natt: mode=none draft=0 interval=0 remote_port=0

        proxyid=pri_HQ2 proto=0 sa=1 ref=2 serial=2 auto-negotiate

        src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=41231/0B replaywin=2048

        seqno=28 esn=0 replaywin_lastseq=00000027 itn=0

        life: type=01 bytes=0/0 timeout=42900/43200 dec: spi=1071b4f8 esp=aes key=16 142cce377b3432ba41e64128ade6848c

        ah=sha1 key=20 20e64947e2397123f561584321adc0e7aa0c342d

        enc: spi=ec89b7ed esp=aes key=16 2ec13622fd60dacce3d28ebe5fe7ab14

        ah=sha1 key=20 c1787497508a87f40c73c0db0e835c70b3c3f42d

        dec:pkts/bytes=38/2568, enc:pkts/bytes=39/5432

      3. Run the diagnose sys ipsec-aggregate list command. The system should return the following:

        agg_HQ2 algo=RR member=2 run_tally=2

        members:

        pri_HQ2

        sec_HQ2

      4. Run the get router info ospf neighbor command. The system should return the following:

        OSPF process 0, VRF 0:

        Neighbor ID Pri State Dead Time Address Interface

        2.2.2.2 1. Full/ - 00:00:34 10.10.10.2 agg1_HQ2

      5. Run the get router info routing-table ospf command. The system should return the following:

        Routing table for VRF=0

        O 172.16.101.0/24 [110/20] via 10.10.10.2, agg1_HQ2 , 00:18:43

    Previous
    Next