This article describes the changes in the IPSec load-balance setting from v6.2.6/6.4.6 onwards.

IPSec load-balancing is enabled on FortiGate 6000 series and disabled on FortiGate 7000 series by default until v6.2.4/v6.4.2, and this config was part of the load-balance setting as below.

config load-balance setting

    set ipsec-load-balance {disable | enable}

end

From v6.2.6/6.4.6, IPSec load balancing is tunnel-based. One can set the load balance strategy for each tunnel when configuring phase1-interface options:

config vpn ipsec phase1-interface

    edit <name>

        set ipsec-tunnel-slot {master | auto | FPM3 | FPM4 | FPM5 | FPM6}

end

While upgrading to v6.2.6/6.4.6 from any older versions, the IPSec load-balance configuration is expected to migrate based on the user's setting. Users might run into upgrade issues when using v6.2.6 or v6.2.7, or v6.4.2 as an intermediate path while upgrading to higher versions. It is recommended to use v6.2.9 as an interim version.

FortiGate 6000/7000 series, v6.2.6/6.4.6 onwards.

• If ipsec-load balance setting is disabled before the upgrade, after upgrading to 6.2.6/6.4.6 onwards, the ipsec-tunnel-slot should be changed to master under ipsec phase-1 config.

•  If ipsec-load balance setting is enabled before upgrade, after upgrading to 6.2.6/6.4.6 onwards, the ipsec-tunnel-slot should be changed to auto under ipsec phase-1 config.

• If the IPSec traffic is not working as expected after the upgrade, check the ipsec-tunnel-slot config.

Upgrade path:

If a user is planning on upgrading to 6.4.6, use a 6.2.9 version as an intermediate path, and avoid using v6.4.2 as this version currently has a few known issues on IPsec load-balancing.

Reference: IPsec VPN load balancing changes.

To see the selected slot for IPSEC Load Balance, 'ike gateway list' or 'tunnel list name' commands can be used:

diagnose vpn ike gateway list name VPN_AWS | grep "IPSec LB"
IPSec LB:IKE-proxy  esp-worker: FPC04  

diagnose vpn ike gateway list name p1-outside | grep "IPSec LB"
IPsec LB: esp_worker=FPC04 esp_assist_last_sent=0

The above example shows that FPC04 is used for IPsec Load Balance.

Also under 'config load-balance flow-rule', the default rule associated with ESP traffic should be deleted (or at least disabled) if 'ipsec-tunnel-slot' is defined for a specific FPC (other than master), because ESP traffic may not work properly due to different slots being used:

config load-balance flow-rule
    edit 25
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol esp
        set action forward
        set forward-slot master <---
        set priority 5
        set comment "ipv4 esp"
    next
end 

Special note on IPsec tunnel sourced from a virtual interface such as loopback/npu-link.

Case 1: If the user had an IPsec tunnel Load-balance disabled before the upgrade, the upgrade procedure will automatically set the tunnel to master. IPsec tunnel support on the virtual-interface should work fine if the ESP and UDP 4500 flow rules were already configured before the upgrade. But if there were no flow rules before the upgrade, then manually create those flow rules after the upgrade.

Case 2: If the user had IPsec tunnel Load-balance enabled before the upgrade, the upgrade procedure will automatically set the tunnel to auto. IPsec tunnel support on the virtual-interface should work fine if there was no flow-rule for ESP and UDP 4500 configured before the upgrade.