IPsec VPN load balancing
Since the FortiGate-7000E does not support IPsec VPN load balancing, the following option should always be disabled:
config load-balance setting
set ipsec-load-balance disable
end
Disabling IPsec VPN load balancing sends all IPsec VPN sessions to the primary FPM.
Example IPv4 and IPv6 IPsec VPN flow rules
You can optionally add your own flow rules if you want to handle IPsec VPN sessions differently, for example, you could send IPsec VPN traffic to a different FPM instead of the primary FPM.
The following example IPv4 and IPv6 IPsec VPN flow rules send all IPv4 and IPv6 IPSec VPN traffic to the primary FPM. Normally you would not need these flow rules because IPsec VPN load balancing is disabled and all IPsec VPN traffic is just sent to the primary FPM.
edit 18
set status enable
set vlan 0
set ether-type ipv6
set src-addr-ipv6 ::/0
set dst-addr-ipv6 ::/0
set protocol udp
set src-l4port 0-0
set dst-l4port 500-500
set action forward
set forward-slot master
set priority 5
set comment "ipv6 ike"
next
edit 19
set status enable
set vlan 0
set ether-type ipv6
set src-addr-ipv6 ::/0
set dst-addr-ipv6 ::/0
set protocol udp
set src-l4port 0-0
set dst-l4port 4500-4500
set action forward
set forward-slot master
set priority 5
set comment "ipv6 ike-natt dst"
next
edit 20
set status enable
set vlan 0
set ether-type ipv6
set src-addr-ipv6 ::/0
set dst-addr-ipv6 ::/0
set protocol esp
set action forward
set forward-slot master
set priority 5
set comment "ipv6 esp"
next
edit 21
set status enable
set vlan 0
set ether-type ipv4
set src-addr-ipv4 0.0.0.0 0.0.0.0
set dst-addr-ipv4 0.0.0.0 0.0.0.0
set protocol udp
set src-l4port 0-0
set dst-l4port 500-500
set action forward
set forward-slot master
set priority 5
set comment "ipv4 ike"
next
edit 22
set status enable
set vlan 0
set ether-type ipv4
set src-addr-ipv4 0.0.0.0 0.0.0.0
set dst-addr-ipv4 0.0.0.0 0.0.0.0
set protocol udp
set src-l4port 0-0
set dst-l4port 4500-4500
set action forward
set forward-slot master
set priority 5
set comment "ipv4 ike-natt dst"
next
edit 23
set status enable
set vlan 0
set ether-type ipv4
set src-addr-ipv4 0.0.0.0 0.0.0.0
set dst-addr-ipv4 0.0.0.0 0.0.0.0
set protocol esp
set action forward
set forward-slot master
set priority 5
set comment "ipv4 esp"
next