Fortinet black logo

FortiGate-6000 Handbook

IPsec VPN load balancing

IPsec VPN load balancing

FortiGate-6000 IPsec load balancing is tunnel based. You can set the load balance strategy for each tunnel when configuring phase1-interface options:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {auto | FPC1 | FPC2 | FPC3 | FPC4 | FPC5 | FPC6 | FPC7 | FPC8 | FPC9 | FPC10 | master}

end

auto the default setting. All tunnels started by this phase 1 are load balanced to an FPC slot based on the src-ip and dst-ip hash result. All traffic for a given tunnel instance is processed by the same FPC.

FPC1 to FPC10 all tunnels started by this phase 1 terminate on the selected FPC. For the FortiGate-6300F and 6301F the options are FPC1 to FPC6.

master all tunnels started by this phase 1 terminate on the primary FPC.

Even if you select master or a specific FPC, new SAs created by this tunnel are synchronized to all FPCs.

IPsec VPN load balancing

FortiGate-6000 IPsec load balancing is tunnel based. You can set the load balance strategy for each tunnel when configuring phase1-interface options:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {auto | FPC1 | FPC2 | FPC3 | FPC4 | FPC5 | FPC6 | FPC7 | FPC8 | FPC9 | FPC10 | master}

end

auto the default setting. All tunnels started by this phase 1 are load balanced to an FPC slot based on the src-ip and dst-ip hash result. All traffic for a given tunnel instance is processed by the same FPC.

FPC1 to FPC10 all tunnels started by this phase 1 terminate on the selected FPC. For the FortiGate-6300F and 6301F the options are FPC1 to FPC6.

master all tunnels started by this phase 1 terminate on the primary FPC.

Even if you select master or a specific FPC, new SAs created by this tunnel are synchronized to all FPCs.