Technical Note: IPsec in SLBC
Description
Scope
Solution
This article addresses IPsec support in SLBC.
Scope
FortiController v5.2 / FortiGate v5.2 or later.
Solution
If the SLBC is acting as IPsec termination point, IPsec load balancing is not supported. All IPsec traffic should be sent to the ELBC master, otherwise IPsec will experience issues.
The FortiController configuration should be:
If NAT-T (UDP Port 4500) is expected, the following configuration needs to be applied as well, so that all UDP 4500 will be sent to the ELBC master:
If the SLBC is not acting as IPsec termination point, that is the SLBC is only IPsec passthrough, it is possible to balance IPsec traffic amongst the worker blades using the following configuration:
Note that the load-distribution-method must be L3 based (src-dst-ip or src-ip or dst-ip).
All of the above settings affect the whole SLBC cluster.
The FortiController configuration should be:
config load-balance session-setup
set ipsec-session forward-to-master
end
If NAT-T (UDP Port 4500) is expected, the following configuration needs to be applied as well, so that all UDP 4500 will be sent to the ELBC master:
config load-balance protocol-pin
set ike-natt-mode enable
end
If the SLBC is not acting as IPsec termination point, that is the SLBC is only IPsec passthrough, it is possible to balance IPsec traffic amongst the worker blades using the following configuration:
config load-balance session-setup
set ipsec-session load-balance
set load-distribution-method src-dst-ip
end
Note that the load-distribution-method must be L3 based (src-dst-ip or src-ip or dst-ip).
All of the above settings affect the whole SLBC cluster.