Fortinet black logo

Handbook

IPsec tunnels

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:255493
Download PDF

IPsec tunnels

When you use the config system cluster-sync command to enable FGSP, IPsec keys and other runtime data (but not actual tunnel sessions) are synchronized between peers. This means that if one peer goes down, the peer that is still operating can quickly get IPsec tunnels re-established without re-negotiating them. However, after a failover, all existing tunnel sessions on the failed FortiGate have to be restarted on the FortiGates that are still operating.

IPsec tunnel sync supports both static and dialup IPsec tunnels. For IPsec tunnel synchronization to work, the interfaces on the FortiGates that are tunnel endpoints must have the same IP addresses and external routers must be configured to load balance IPsec tunnel sessions to the FortiGates in the deployment.

Optionally synchronizing IKE routes

You can use the following command to control whether IKE routes are synchronized to all units in the FGSP deployment:

config system cluster-sync

edit 0

set slave-add-ike-routes {enable | disable}

end

Enable to synchronize IKE routes, or disable if you do not need to synchronize IKE routes. Enabling routing synchronization is optional but doing so increases synchronization overhead and bandwidth usage. If you have problems with IPsec VPN tunnel synchronization, you may want to enable synchronizing routes. Otherwise you could leave it disabled to improve performance and save bandwidth.

IPsec tunnels

When you use the config system cluster-sync command to enable FGSP, IPsec keys and other runtime data (but not actual tunnel sessions) are synchronized between peers. This means that if one peer goes down, the peer that is still operating can quickly get IPsec tunnels re-established without re-negotiating them. However, after a failover, all existing tunnel sessions on the failed FortiGate have to be restarted on the FortiGates that are still operating.

IPsec tunnel sync supports both static and dialup IPsec tunnels. For IPsec tunnel synchronization to work, the interfaces on the FortiGates that are tunnel endpoints must have the same IP addresses and external routers must be configured to load balance IPsec tunnel sessions to the FortiGates in the deployment.

Optionally synchronizing IKE routes

You can use the following command to control whether IKE routes are synchronized to all units in the FGSP deployment:

config system cluster-sync

edit 0

set slave-add-ike-routes {enable | disable}

end

Enable to synchronize IKE routes, or disable if you do not need to synchronize IKE routes. Enabling routing synchronization is optional but doing so increases synchronization overhead and bandwidth usage. If you have problems with IPsec VPN tunnel synchronization, you may want to enable synchronizing routes. Otherwise you could leave it disabled to improve performance and save bandwidth.