Fortinet white logo
Fortinet white logo

FortiGate-6000 Handbook

IPv4 and IPv6 IPsec VPN load balancing

IPv4 and IPv6 IPsec VPN load balancing

You can use the following command to enable or disable IPv4 and IPv6 IPsec VPN load balancing:

config load-balance setting

set ipsec-load-balance {disable | enable}

end

By default, IPsec VPN load balancing is enabled and if static routes are used for communication over VPN tunnels, the FortiGate-6000 directs IPv4 and IPv6 IPsec VPN sessions to the DP3 processors which load balance them among the FPCs.

Note

Previous versions of FortiOS for FortiGate-6000 used load balancing flow rules. These rules are no longer required for the FortiGate-6000 so you can remove them. For details, see the release notes.

Disabling IPsec VPN load balancing

If IPsec VPN load balancing is enabled, the FortiGate-6000 will drop IPsec VPN sessions traveling between two IPsec tunnels because load balancing might terminate the two IPsec tunnels on different FPCs. If you have traffic entering the FortiGate-6000 from one IPsec VPN tunnel and leaving the FortiGate-6000 out another IPsec VPN tunnel, or if you need to support dynamic routing over IPsec VPN tunnels, you must disable IPsec VPN load balancing:

config load-balance setting

set ipsec-load-balance disable

end

Disabling IPsec VPN load balancing in this way sends all IPsec VPN sessions to the primary FPC.

You could also add your own flow rules if you want to handle IPsec VPN sessions differently, for example, you could send IPsec VPN traffic to a different FPC instead of the primary FPC.

Example IPv4 and IPv6 IPsec VPN flow rules

The following example IPv4 and IPv6 IPsec VPN flow rules send all IPv4 and IPv6 IPSec VPN traffic to the primary FPC. Normally you would not need these flow rules, ether because IPsec VPN load balancing is enabled and these flow rules are skipped or because IPsec VPN load balancing is disabled and all IPsec VPN traffic is just sent to the primary FPC.

 edit 18
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 500-500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv6 ike"
    next
    edit 19
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 4500-4500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv6 ike-natt dst"
    next
    edit 20
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol esp
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv6 esp"
    next
    edit 21
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 500-500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 ike"
    next
    edit 22
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 4500-4500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 ike-natt dst"
    next 
    edit 23
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol esp
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 esp"
    next

IPv4 and IPv6 IPsec VPN load balancing

IPv4 and IPv6 IPsec VPN load balancing

You can use the following command to enable or disable IPv4 and IPv6 IPsec VPN load balancing:

config load-balance setting

set ipsec-load-balance {disable | enable}

end

By default, IPsec VPN load balancing is enabled and if static routes are used for communication over VPN tunnels, the FortiGate-6000 directs IPv4 and IPv6 IPsec VPN sessions to the DP3 processors which load balance them among the FPCs.

Note

Previous versions of FortiOS for FortiGate-6000 used load balancing flow rules. These rules are no longer required for the FortiGate-6000 so you can remove them. For details, see the release notes.

Disabling IPsec VPN load balancing

If IPsec VPN load balancing is enabled, the FortiGate-6000 will drop IPsec VPN sessions traveling between two IPsec tunnels because load balancing might terminate the two IPsec tunnels on different FPCs. If you have traffic entering the FortiGate-6000 from one IPsec VPN tunnel and leaving the FortiGate-6000 out another IPsec VPN tunnel, or if you need to support dynamic routing over IPsec VPN tunnels, you must disable IPsec VPN load balancing:

config load-balance setting

set ipsec-load-balance disable

end

Disabling IPsec VPN load balancing in this way sends all IPsec VPN sessions to the primary FPC.

You could also add your own flow rules if you want to handle IPsec VPN sessions differently, for example, you could send IPsec VPN traffic to a different FPC instead of the primary FPC.

Example IPv4 and IPv6 IPsec VPN flow rules

The following example IPv4 and IPv6 IPsec VPN flow rules send all IPv4 and IPv6 IPSec VPN traffic to the primary FPC. Normally you would not need these flow rules, ether because IPsec VPN load balancing is enabled and these flow rules are skipped or because IPsec VPN load balancing is disabled and all IPsec VPN traffic is just sent to the primary FPC.

 edit 18
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 500-500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv6 ike"
    next
    edit 19
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 4500-4500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv6 ike-natt dst"
    next
    edit 20
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol esp
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv6 esp"
    next
    edit 21
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 500-500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 ike"
    next
    edit 22
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 4500-4500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 ike-natt dst"
    next 
    edit 23
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol esp
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 esp"
    next