IPsec VPN load balancing
Since the FortiGate-7000E does not support IPsec VPN load balancing, the following option should always be disabled:
config load-balance setting
set ipsec-load-balance disable
end
Disabling IPsec VPN load balancing sends all IPsec VPN sessions to the primary FPM.
Example IPv4 and IPv6 IPsec VPN flow rules
You can optionally add your own flow rules if you want to handle IPsec VPN sessions differently, for example, you could send IPsec VPN traffic to a different FPM instead of the primary FPM.
The following example IPv4 and IPv6 IPsec VPN flow rules send all IPv4 and IPv6 IPSec VPN traffic to the primary FPM. Normally you would not need these flow rules because IPsec VPN load balancing is disabled and all IPsec VPN traffic is just sent to the primary FPM.
edit 18 set status enable set vlan 0 set ether-type ipv6 set src-addr-ipv6 ::/0 set dst-addr-ipv6 ::/0 set protocol udp set src-l4port 0-0 set dst-l4port 500-500 set action forward set forward-slot master set priority 5 set comment "ipv6 ike" next edit 19 set status enable set vlan 0 set ether-type ipv6 set src-addr-ipv6 ::/0 set dst-addr-ipv6 ::/0 set protocol udp set src-l4port 0-0 set dst-l4port 4500-4500 set action forward set forward-slot master set priority 5 set comment "ipv6 ike-natt dst" next edit 20 set status enable set vlan 0 set ether-type ipv6 set src-addr-ipv6 ::/0 set dst-addr-ipv6 ::/0 set protocol esp set action forward set forward-slot master set priority 5 set comment "ipv6 esp" next edit 21 set status enable set vlan 0 set ether-type ipv4 set src-addr-ipv4 0.0.0.0 0.0.0.0 set dst-addr-ipv4 0.0.0.0 0.0.0.0 set protocol udp set src-l4port 0-0 set dst-l4port 500-500 set action forward set forward-slot master set priority 5 set comment "ipv4 ike" next edit 22 set status enable set vlan 0 set ether-type ipv4 set src-addr-ipv4 0.0.0.0 0.0.0.0 set dst-addr-ipv4 0.0.0.0 0.0.0.0 set protocol udp set src-l4port 0-0 set dst-l4port 4500-4500 set action forward set forward-slot master set priority 5 set comment "ipv4 ike-natt dst" next edit 23 set status enable set vlan 0 set ether-type ipv4 set src-addr-ipv4 0.0.0.0 0.0.0.0 set dst-addr-ipv4 0.0.0.0 0.0.0.0 set protocol esp set action forward set forward-slot master set priority 5 set comment "ipv4 esp" next