Created on 04-11-2019 02:39 AM Edited on 06-06-2022 01:09 PM By Anonymous
Description
This article provides the configuration steps on how to direct IPSec VPN traffic to be handled by master ELBC/primary worker for the scenarios below:
i. IPSec VPN traffic terminating at FortiGate
ii. IPSec VPN traffic passing through FortiGate
Solution
To direct IPSec VPN traffic to primary worker, flow rules are required in place.
For IPsec VPN traffic terminating at Fortigate:
The flow rules below shall force ESP and UDP traffic destined to Fortigate IP to primary worker
config switch fabric-channel flow-rule
edit 0
set src-interface <interface-name>
set ether-type ip
set protocol esp
set action forward
set forward-slot 0
edit 0
set src-interface <interface-name>
set ether-type ipv4
set dst-addr-ipv4 <FGT-IP>
set protocol udp
set action forward
set forward-slot 0
end
For IPsec VPN traffic passing through Fortigate:
The flow rules below shall force ESP and UDP traffic destined to VPN server IP to primary worker
config switch fabric-channel flow-rule
edit 0
set src-interface <interface-name>
set ether-type ip
set protocol esp
set action forward
set forward-slot 0
edit 0
set src-interface <interface-name>
set ether-type ipv4
set dst-addr-ipv4 <VPN-Server-IP>
set protocol udp
set action forward
set forward-slot 0
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.