FortiGate-6000 IPsec VPN
The FortiGate-6000 uses SLBC load balancing to select an FPC to terminate traffic for a new IPsec VPN tunnel instance and all traffic for that tunnel instance is terminated on the same FPC.
config vpn ipsec phase1-interface
edit <name>
set ipsec-tunnel-slot {auto | FPC1 | FPC2 | FPC3 | FPC4 | FPC5 | FPC6 | FPC7 | FPC8 | FPC9 | FPC10 | master}
end
You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPC to terminate all tunnel instances started by that phase 1. For example, to terminate all tunnels on FPC5:
config vpn ipsec phase1-interface
edit <name>
set ipsec-tunnel-slot FPC5
end
FortiGate-6000 IPsec VPN supports the following features:
-
Interface-based IPsec VPN (also called route-based IPsec VPN).
-
Site-to-Site IPsec VPN.
-
Dialup IPsec VPN. The FortiGate-6000 can be the dialup server or client.
-
Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.
-
When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPCs in the FortiGate-6000, or in both FortiGate-6000s in an HA configuration.
-
Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPC.
-
When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPC.
FortiGate-6000 IPsec VPN has the following limitations:
-
Policy-based IPsec VPN tunnels terminated by the FortiGate-6000 are not supported.
-
Policy routes cannot be used for communication over IPsec VPN tunnels.
-
IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
-
IPsec SA synchronization between FGSP HA peers is not supported.
-
When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.
-
The FortiGate-6000, because it uses DP processors for SLBC, does not support IPsec VPN to remote networks with 0- to 15-bit netmasks.
-
UDP-encapsulated ESP (UESP) sessions that use the normal IKE port (port 4500) are load balanced by the DP3 processor in the same way as normal IPSec traffic. You can use the
ipsec-tunnel-slot
option when creating a phase 1 configuration to control how UESP tunnels are load balanced. However, if UESP sessions use a custom IKE port, the DP3 processor does not handle them as IPsec packets. Instead , they are load balanced by the DP3 processor in the same way as any other traffic. If required, you can adjust load balance settings or add a flow rule for UESP sessions using a custom IKE port.