Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-6000 Handbook

FortiGate-6000 IPsec VPN load balancing

Since the FortiGate-6000 does not support IPsec VPN load balancing, the following option should always be disabled:

config load-balance setting

set ipsec-load-balance disable

end

Disabling IPv4 IPsec VPN load balancing in this way enables the following flow rules:

IPv4 IPsec flow rules with ipsec-load-balance disabled
    edit 21
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 500-500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 ike"
    next
    edit 22
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 4500-4500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 ike-natt dst"
    next
    edit 23
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol esp
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 esp"
    next

These flow rules should generally handle all IPv4 IPsec VPN traffic. You can also adjust them or add your own flow rules if you have an IPv4 IPsec VPN setup that is not compatible with the default flow rules.

FortiGate-6000 IPsec VPN load balancing

Since the FortiGate-6000 does not support IPsec VPN load balancing, the following option should always be disabled:

config load-balance setting

set ipsec-load-balance disable

end

Disabling IPv4 IPsec VPN load balancing in this way enables the following flow rules:

IPv4 IPsec flow rules with ipsec-load-balance disabled
    edit 21
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 500-500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 ike"
    next
    edit 22
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 4500-4500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 ike-natt dst"
    next
    edit 23
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol esp
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 esp"
    next

These flow rules should generally handle all IPv4 IPsec VPN traffic. You can also adjust them or add your own flow rules if you have an IPv4 IPsec VPN setup that is not compatible with the default flow rules.