IPsec VPN load balancing
You can use the following command to enable or disable IPsec VPN load balancing:
config load-balance setting
config ipsec-load-balance {disable | enable}
end
By default IPsec VPN load balancing is enabled and the flow rules listed below are disabled. So the IPsec VPN sessions is directed to the DP2 processors and load balanced to the FPMs.
However, IPsec VPN load balancing enabled, IPsec VPN sessions traveling between two IPsec tunnels will be dropped because the two IPsec tunnels may be terminated on different FPMs. So if you have traffic entering the FortiGate-7000 from one IPsec VPN tunnel and leaving the FortiGate-7000 out another IPsec VPN tunnel you need to disable IPsec load balancing:
config load-balance setting
config ipsec-load-balance disable
end
The following flow rules are enabled if IPsec VPN load balancing is disabled:
config load-balance flow-rule edit 22 set ether-type ipv4 set protocol udp set src-l4port 500-500 set dst-l4port 500-500 set comment "ipv4 ike" next edit 23 set ether-type ipv4 set protocol udp set src-l4port 4500-4500 set comment "ipv4 ike-natt src" next edit 24 set ether-type ipv4 set protocol udp set dst-l4port 4500-4500 set comment "ipv4 ike-natt dst" next edit 25 set ether-type ipv4 set protocol esp set comment "ipv4 esp" next end
These flow rules should generally handle all IPsec VPN traffic. You can also adjust them or add your own flow rules if you have an IPsec VPN setup that is not compatible with the default flow rules.