Fortinet black logo

FortiGate-6000 Handbook

Home FortiGate-6000 5.6.12 FortiGate-6000 Handbook

IPsec VPN load balancing

5.6.12
7.0.15
7.0.14
7.0.13
7.0.12
7.0.10
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.10
6.4.8
6.4.6
6.4.2
6.2.16
6.2.16
6.2.15
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.7
6.2.6
6.2.4
6.2.3
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.10
Copy Link
Copy Doc ID 4344b5a4-865b-11ea-9384-00505692583a:388367
Download PDF

IPsec VPN load balancing

You can use the following command to enable or disable IPsec VPN load balancing:

config load-balance setting

config ipsec-load-balance {disable | enable}

end

By default IPsec VPN load balancing is enabled and the flow rules listed below are disabled. The FortiGate-6000 directs IPsec VPN sessions to the DP3 processors which load balance them among the FPCs.

Default IPsec VPN flow-rules
    edit 21
        set status disable
        set ether-type ipv4
        set protocol udp
        set dst-l4port 500-500
        set action forward
        set forward-slot master
        set comment "ipv4 ike"
    next
    edit 22
        set status disable
        set ether-type ipv4
        set protocol udp
        set dst-l4port 4500-4500
        set action forward
        set forward-slot master
        set comment "ipv4 ike-natt dst"
    next
    edit 23
        set status disable
        set ether-type ipv4
        set protocol esp
        set action forward
        set forward-slot master
        set comment "ipv4 esp"
    next

Disabling IPsec VPN load balancing

If IPsec VPN load balancing is enabled, the FortiGate-6000 will drop IPsec VPN sessions traveling between two IPsec tunnels because the two IPsec tunnels may be terminated on different FPCs. If you have traffic entering the FortiGate-6000 from one IPsec VPN tunnel and leaving the FortiGate-6000 out another IPsec VPN tunnel you need to disable IPsec load balancing:

config load-balance setting

config ipsec-load-balance disable

end

Disabling IPsec VPN load balancing in this way enables the following flow rules:

IPsec flow rules with ipsec-load-balance disabled
    edit 21
        set status enable
        set ether-type ipv4
        set protocol udp
        set dst-l4port 500-500
        set action forward
        set forward-slot master
        set comment "ipv4 ike"
    next
    edit 22
        set status enable
        set ether-type ipv4
        set protocol udp
        set dst-l4port 4500-4500
        set action forward
        set forward-slot master
        set comment "ipv4 ike-natt dst"
    next
    edit 23
        set status enable
        set ether-type ipv4
        set protocol esp
        set action forward
        set forward-slot master
        set comment "ipv4 esp"
    next

These flow rules should generally handle all IPsec VPN traffic. You can also adjust them or add your own flow rules if you have an IPsec VPN setup that is not compatible with the default flow rules.

Previous
Next

IPsec VPN load balancing

You can use the following command to enable or disable IPsec VPN load balancing:

config load-balance setting

config ipsec-load-balance {disable | enable}

end

By default IPsec VPN load balancing is enabled and the flow rules listed below are disabled. The FortiGate-6000 directs IPsec VPN sessions to the DP3 processors which load balance them among the FPCs.

Default IPsec VPN flow-rules
    edit 21
        set status disable
        set ether-type ipv4
        set protocol udp
        set dst-l4port 500-500
        set action forward
        set forward-slot master
        set comment "ipv4 ike"
    next
    edit 22
        set status disable
        set ether-type ipv4
        set protocol udp
        set dst-l4port 4500-4500
        set action forward
        set forward-slot master
        set comment "ipv4 ike-natt dst"
    next
    edit 23
        set status disable
        set ether-type ipv4
        set protocol esp
        set action forward
        set forward-slot master
        set comment "ipv4 esp"
    next

Disabling IPsec VPN load balancing

If IPsec VPN load balancing is enabled, the FortiGate-6000 will drop IPsec VPN sessions traveling between two IPsec tunnels because the two IPsec tunnels may be terminated on different FPCs. If you have traffic entering the FortiGate-6000 from one IPsec VPN tunnel and leaving the FortiGate-6000 out another IPsec VPN tunnel you need to disable IPsec load balancing:

config load-balance setting

config ipsec-load-balance disable

end

Disabling IPsec VPN load balancing in this way enables the following flow rules:

IPsec flow rules with ipsec-load-balance disabled
    edit 21
        set status enable
        set ether-type ipv4
        set protocol udp
        set dst-l4port 500-500
        set action forward
        set forward-slot master
        set comment "ipv4 ike"
    next
    edit 22
        set status enable
        set ether-type ipv4
        set protocol udp
        set dst-l4port 4500-4500
        set action forward
        set forward-slot master
        set comment "ipv4 ike-natt dst"
    next
    edit 23
        set status enable
        set ether-type ipv4
        set protocol esp
        set action forward
        set forward-slot master
        set comment "ipv4 esp"
    next

These flow rules should generally handle all IPsec VPN traffic. You can also adjust them or add your own flow rules if you have an IPsec VPN setup that is not compatible with the default flow rules.

Previous
Next