Fortinet black logo

FortiGate-6000 and FortiGate-7000 Release Notes

IPsec VPN load balancing changes

IPsec VPN load balancing changes

FortiGate-6000 and 7000 for FortiOS 6.2.6 IPsec load balancing is tunnel based. You can set the load balance strategy for each tunnel when configuring phase1-interface options:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {master | auto | FPM3 | FPM4 | FPM5 | FPM6 | FPM7 | FPM8 | FPM9 | FPM10 | FPM11 | FPM12}

end

master all tunnels started by this phase 1 terminate on the primary FPM.

auto the default setting. All tunnels started by this phase 1 are load balanced to an FPM slot based on the src-ip and dst-ip hash result. All traffic for a given tunnel instance is processed by the same FPM.

FPM3 to FPM12 all tunnels started by this phase 1 terminate on the selected FPM.

Even if you select master or a specific FPM, new SAs created by this tunnel are synchronized to all FPMs.

If the IPsec interface includes dynamic routing, the ipsec-tunnel-slot option is ignored and all tunnels are terminated on the primary FPC or FPM.

Note

Because IPsec load balancing is tunnel based, the following command has been removed:

config load-balance setting

set ipsec-load-balance {disable | enable}

end

IPsec VPN load balancing changes

FortiGate-6000 and 7000 for FortiOS 6.2.6 IPsec load balancing is tunnel based. You can set the load balance strategy for each tunnel when configuring phase1-interface options:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {master | auto | FPM3 | FPM4 | FPM5 | FPM6 | FPM7 | FPM8 | FPM9 | FPM10 | FPM11 | FPM12}

end

master all tunnels started by this phase 1 terminate on the primary FPM.

auto the default setting. All tunnels started by this phase 1 are load balanced to an FPM slot based on the src-ip and dst-ip hash result. All traffic for a given tunnel instance is processed by the same FPM.

FPM3 to FPM12 all tunnels started by this phase 1 terminate on the selected FPM.

Even if you select master or a specific FPM, new SAs created by this tunnel are synchronized to all FPMs.

If the IPsec interface includes dynamic routing, the ipsec-tunnel-slot option is ignored and all tunnels are terminated on the primary FPC or FPM.

Note

Because IPsec load balancing is tunnel based, the following command has been removed:

config load-balance setting

set ipsec-load-balance {disable | enable}

end