Fortinet black logo

FortiGate-7000 Handbook

Home FortiGate-7000 5.4.9 FortiGate-7000 Handbook
5.4.9
6.2.3
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.9

IPsec VPN load balancing

IPsec VPN load balancing

You can use the following command to enable or disable IPsec VPN load balancing:

config load-balance setting

config ipsec-load-balance {disable | enable}

end

By default IPsec VPN load balancing is enabled and the flow rules listed below are disabled. So the IPsec VPN sessions is directed to the DP2 processors and load balanced to the FPMs.

However, IPsec VPN load balancing enabled, IPsec VPN sessions traveling between two IPsec tunnels will be dropped because the two IPsec tunnels may be terminated on different FPMs. So if you have traffic entering the FortiGate-7000 from one IPsec VPN tunnel and leaving the FortiGate-7000 out another IPsec VPN tunnel you need to disable IPsec load balancing:

config load-balance setting

config ipsec-load-balance disable

end

The following flow rules are enabled if IPsec VPN load balancing is disabled:

config load-balance flow-rule
    edit 22
        set ether-type ipv4
        set protocol udp
        set src-l4port 500-500
        set dst-l4port 500-500
        set comment "ipv4 ike"
    next
    edit 23
        set ether-type ipv4
        set protocol udp
        set src-l4port 4500-4500
        set comment "ipv4 ike-natt src"
    next
    edit 24
        set ether-type ipv4
        set protocol udp
        set dst-l4port 4500-4500
        set comment "ipv4 ike-natt dst"
    next
    edit 25
        set ether-type ipv4
        set protocol esp
        set comment "ipv4 esp"
    next
end

These flow rules should generally handle all IPsec VPN traffic. You can also adjust them or add your own flow rules if you have an IPsec VPN setup that is not compatible with the default flow rules.

Previous
Next

IPsec VPN load balancing

You can use the following command to enable or disable IPsec VPN load balancing:

config load-balance setting

config ipsec-load-balance {disable | enable}

end

By default IPsec VPN load balancing is enabled and the flow rules listed below are disabled. So the IPsec VPN sessions is directed to the DP2 processors and load balanced to the FPMs.

However, IPsec VPN load balancing enabled, IPsec VPN sessions traveling between two IPsec tunnels will be dropped because the two IPsec tunnels may be terminated on different FPMs. So if you have traffic entering the FortiGate-7000 from one IPsec VPN tunnel and leaving the FortiGate-7000 out another IPsec VPN tunnel you need to disable IPsec load balancing:

config load-balance setting

config ipsec-load-balance disable

end

The following flow rules are enabled if IPsec VPN load balancing is disabled:

config load-balance flow-rule
    edit 22
        set ether-type ipv4
        set protocol udp
        set src-l4port 500-500
        set dst-l4port 500-500
        set comment "ipv4 ike"
    next
    edit 23
        set ether-type ipv4
        set protocol udp
        set src-l4port 4500-4500
        set comment "ipv4 ike-natt src"
    next
    edit 24
        set ether-type ipv4
        set protocol udp
        set dst-l4port 4500-4500
        set comment "ipv4 ike-natt dst"
    next
    edit 25
        set ether-type ipv4
        set protocol esp
        set comment "ipv4 esp"
    next
end

These flow rules should generally handle all IPsec VPN traffic. You can also adjust them or add your own flow rules if you have an IPsec VPN setup that is not compatible with the default flow rules.

Previous
Next