Fortinet black logo

FortiGate-7000 Release Notes

IPsec VPN load balancing changes

IPsec VPN load balancing changes

FortiGate-6000 and 7000 for FortiOS 6.4.6 IPsec load balancing is tunnel based. You can set the load balance strategy for each tunnel when configuring phase1-interface options:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {auto | <FPC-slot/FPM-slot> | master}

end

master all tunnels started by this phase 1 terminate on the primary FPM.

auto the default setting. All tunnels started by this phase 1 are load balanced to an FPM slot based on the src-ip and dst-ip hash result. All traffic for a given tunnel instance is processed by the same FPM.

<FPC-slot/FPM-slot> all tunnels started by this phase 1 terminate on the selected FPC or FPM.

Even if you select master or a specific FPC or FPM, new SAs created by this tunnel are synchronized to all FPCs or FPMs.

Note

Because IPsec load balancing is tunnel based, the following command has been removed:

config load-balance setting

set ipsec-load-balance {disable | enable}

end

IPsec VPN for FortiGate-6000 and 7000 for FortiOS 6.4.6 supports the following features:

  • Interface-based IPsec VPN (also called route-based IPsec VPN).

  • Site-to-Site IPsec VPN.

  • Dialup IPsec VPN. The FortiGate-6000 or 7000 can be the dialup server or client.

  • Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.

  • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPCs or FPMs in the FortiGate-6000 or 7000, or in both FortiGate-6000s or 7000s in an HA configuration.

  • Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPC or FPM.

  • When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPC or FPM.

  • The FortiGate-7000F, because it uses NP7 processors for SLBC, supports IPsec VPN to remote networks with 0- to 15-bit netmasks.

IPsec VPN for FortiGate-6000 and 7000 for FortiOS 6.4.6 has the following limitations:

  • Policy-based IPsec VPN tunnels terminated by the FortiGate-6000 or 7000 are not supported.

  • Policy routes cannot be used for communication over IPsec VPN tunnels.

  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.

  • IPsec SA synchronization between FGSP HA peers is not supported.

  • When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.

  • Platforms with DP processors (FortiGate-6000F and FortiGate-7000E) do not support IPsec VPN to remote networks with 0- to 15-bit netmasks.

IPsec VPN load balancing changes

FortiGate-6000 and 7000 for FortiOS 6.4.6 IPsec load balancing is tunnel based. You can set the load balance strategy for each tunnel when configuring phase1-interface options:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {auto | <FPC-slot/FPM-slot> | master}

end

master all tunnels started by this phase 1 terminate on the primary FPM.

auto the default setting. All tunnels started by this phase 1 are load balanced to an FPM slot based on the src-ip and dst-ip hash result. All traffic for a given tunnel instance is processed by the same FPM.

<FPC-slot/FPM-slot> all tunnels started by this phase 1 terminate on the selected FPC or FPM.

Even if you select master or a specific FPC or FPM, new SAs created by this tunnel are synchronized to all FPCs or FPMs.

Note

Because IPsec load balancing is tunnel based, the following command has been removed:

config load-balance setting

set ipsec-load-balance {disable | enable}

end

IPsec VPN for FortiGate-6000 and 7000 for FortiOS 6.4.6 supports the following features:

  • Interface-based IPsec VPN (also called route-based IPsec VPN).

  • Site-to-Site IPsec VPN.

  • Dialup IPsec VPN. The FortiGate-6000 or 7000 can be the dialup server or client.

  • Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.

  • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPCs or FPMs in the FortiGate-6000 or 7000, or in both FortiGate-6000s or 7000s in an HA configuration.

  • Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPC or FPM.

  • When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPC or FPM.

  • The FortiGate-7000F, because it uses NP7 processors for SLBC, supports IPsec VPN to remote networks with 0- to 15-bit netmasks.

IPsec VPN for FortiGate-6000 and 7000 for FortiOS 6.4.6 has the following limitations:

  • Policy-based IPsec VPN tunnels terminated by the FortiGate-6000 or 7000 are not supported.

  • Policy routes cannot be used for communication over IPsec VPN tunnels.

  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.

  • IPsec SA synchronization between FGSP HA peers is not supported.

  • When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.

  • Platforms with DP processors (FortiGate-6000F and FortiGate-7000E) do not support IPsec VPN to remote networks with 0- to 15-bit netmasks.