DescriptionThis article addresses IPsec support in SLBC.
ScopeFortiController v5.2 / FortiGate v5.2 or later.
SolutionIf the SLBC is acting as IPsec termination point, IPsec load balancing is not supported. All IPsec traffic should be sent to the ELBC master, otherwise IPsec will experience issues.
The FortiController configuration should be:
config load-balance session-setup
set ipsec-session forward-to-master
end
If NAT-T (UDP Port 4500) is expected, the following configuration needs to be applied as well, so that all UDP 4500 will be sent to the ELBC master:
config load-balance protocol-pin
set ike-natt-mode enable
end
If the SLBC is not acting as IPsec termination point, that is the SLBC is only IPsec passthrough, it is possible to balance IPsec traffic amongst the worker blades using the following configuration:
config load-balance session-setup
set ipsec-session load-balance
set load-distribution-method src-dst-ip
end
Note that the load-distribution-method must be L3 based (src-dst-ip or src-ip or dst-ip).
All of the above settings affect the whole SLBC cluster.