IPsec VPN load balancing changes
FortiGate-6000 and 7000 for FortiOS 6.4.6 IPsec load balancing is tunnel based. You can set the load balance strategy for each tunnel when configuring phase1-interface
options:
config vpn ipsec phase1-interface
edit <name>
set ipsec-tunnel-slot {auto | <FPC-slot/FPM-slot> | master}
end
master
all tunnels started by this phase 1 terminate on the primary FPM.
auto
the default setting. All tunnels started by this phase 1 are load balanced to an FPM slot based on the src-ip
and dst-ip
hash result. All traffic for a given tunnel instance is processed by the same FPM.
<FPC-slot/FPM-slot>
all tunnels started by this phase 1 terminate on the selected FPC or FPM.
Even if you select master
or a specific FPC or FPM, new SAs created by this tunnel are synchronized to all FPCs or FPMs.
Because IPsec load balancing is tunnel based, the following command has been removed: config load-balance setting set ipsec-load-balance {disable | enable} end |
IPsec VPN for FortiGate-6000 and 7000 for FortiOS 6.4.6 supports the following features:
-
Interface-based IPsec VPN (also called route-based IPsec VPN).
-
Site-to-Site IPsec VPN.
-
Dialup IPsec VPN. The FortiGate-6000 or 7000 can be the dialup server or client.
-
Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.
-
When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPCs or FPMs in the FortiGate-6000 or 7000, or in both FortiGate-6000s or 7000s in an HA configuration.
-
Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPC or FPM.
-
When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPC or FPM.
-
The FortiGate-7000F, because it uses NP7 processors for SLBC, supports IPsec VPN to remote networks with 0- to 15-bit netmasks.
IPsec VPN for FortiGate-6000 and 7000 for FortiOS 6.4.6 has the following limitations:
-
Policy-based IPsec VPN tunnels terminated by the FortiGate-6000 or 7000 are not supported.
-
Policy routes cannot be used for communication over IPsec VPN tunnels.
-
IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
-
IPsec SA synchronization between FGSP HA peers is not supported.
-
When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.
-
Platforms with DP processors (FortiGate-6000F and FortiGate-7000E) do not support IPsec VPN to remote networks with 0- to 15-bit netmasks.