FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nvisentin_FTNT
Article Id 192422
Description
This article addresses IPsec support in SLBC.

Scope
FortiController v5.2 / FortiGate v5.2 or later.

Solution
If the SLBC is acting as IPsec termination point, IPsec load balancing is not supported.  All IPsec traffic should be sent to the ELBC master, otherwise IPsec will experience issues.

The FortiController configuration should be:
config load-balance session-setup
    set ipsec-session forward-to-master
end

If NAT-T (UDP Port 4500) is expected, the following configuration needs to be applied as well, so that all UDP 4500 will be sent to the ELBC master:
config load-balance protocol-pin
    set ike-natt-mode enable
end

If the SLBC is not acting as IPsec termination point, that is the SLBC is only IPsec passthrough, it is possible to balance IPsec traffic amongst the worker blades using the following configuration:
config load-balance session-setup
    set ipsec-session load-balance
    set load-distribution-method src-dst-ip
end

Note that the load-distribution-method must be L3 based (src-dst-ip or src-ip or dst-ip).

All of the above settings affect the whole SLBC cluster.

Contributors