Description
This article provides the configuration steps on how to direct IPSec VPN traffic to be handled by master ELBC/primary worker for the scenarios below:
i. IPSec VPN traffic terminating at FortiGate
ii. IPSec VPN traffic passing through FortiGate
Solution
To direct IPSec VPN traffic to primary worker, flow rules are required in place.
For IPsec VPN traffic terminating at Fortigate:
The flow rules below shall force ESP and UDP traffic destined to Fortigate IP to primary worker
config switch fabric-channel flow-rule
edit 0
set src-interface <interface-name>
set ether-type ip
set protocol esp
set action forward
set forward-slot 0
edit 0
set src-interface <interface-name>
set ether-type ipv4
set dst-addr-ipv4 <FGT-IP>
set protocol udp
set action forward
set forward-slot 0
end
For IPsec VPN traffic passing through Fortigate:
The flow rules below shall force ESP and UDP traffic destined to VPN server IP to primary worker
config switch fabric-channel flow-rule
edit 0
set src-interface <interface-name>
set ether-type ip
set protocol esp
set action forward
set forward-slot 0
edit 0
set src-interface <interface-name>
set ether-type ipv4
set dst-addr-ipv4 <VPN-Server-IP>
set protocol udp
set action forward
set forward-slot 0
end
