Technical Tip: Direct IPSEC traffic to be handled by master ELBC at FortiController in SLBC

Description
This article provides the configuration steps on how to direct IPSec VPN traffic to be handled by master ELBC/primary worker for the scenarios below:

   i.  IPSec VPN traffic terminating at FortiGate
   ii. IPSec VPN traffic passing through FortiGate


Solution
To direct IPSec VPN traffic to primary worker, flow rules are required in place.

For IPsec VPN traffic terminating at Fortigate:

The flow rules below shall force ESP and UDP traffic destined to Fortigate IP to primary worker

config switch fabric-channel flow-rule
   edit 0
     set src-interface <interface-name>
     set ether-type ip
     set protocol esp
     set action forward
     set forward-slot 0
   edit 0
     set src-interface <interface-name>
     set ether-type ipv4
     set dst-addr-ipv4 <FGT-IP>
     set protocol udp
     set action forward
     set forward-slot 0
end

For IPsec VPN traffic passing through Fortigate:

The flow rules below shall force ESP and UDP traffic destined to VPN server  IP to primary worker

config switch fabric-channel flow-rule
   edit 0
     set src-interface <interface-name>
     set ether-type ip
     set protocol esp
     set action forward
     set forward-slot 0
   edit 0
     set src-interface <interface-name>
     set ether-type ipv4
     set dst-addr-ipv4 <VPN-Server-IP>
     set protocol udp
     set action forward
     set forward-slot 0
end