Configuring IPsec VPN load balancing
FortiGate 7000F IPsec load balancing is tunnel based. You can set the load balance strategy for each tunnel when configuring phase1-interface
options:
config vpn ipsec phase1-interface
edit <name>
set ipsec-tunnel-slot {auto | FPM3 | FPM4 | FPM5 | FPM6 | FPM7 | FPM8 | FPM9 | FPM10 | FPM11 | FPM12 | master}
end
auto
the default setting. All tunnels started by this phase 1 are load balanced to an FPM slot based on the src-ip
and dst-ip
hash result. All traffic for a given tunnel instance is processed by the same FPM.
FPM3
to FPM12
all tunnels started by this phase 1 terminate on the selected FPM.
master
all tunnels started by this phase 1 terminate on the primary FPM.
Even if you select master
or a specific FPM, new SAs created by this tunnel are synchronized to all FPMs.
If the IPsec interface includes dynamic routing, the ipsec-tunnel-slot
option is ignored and all tunnels are terminated on the primary FPM.