Re: IPSEC VSX load balance

victor_cortez · ‎2023-11-06

Hello guys,

Here is my scneario, r81 Vsystem:

I have a vpn community IPSEC from my peer Ckp-Vs-SG to 2 different fgt peers, Fgt-A and Fgt-B.

MEP Manually:

Fgt-A is the primay under MEP

Fgt-B is the secondary under MEP

So now I want to send traffic to both Fgt-A and B and balance. How to set this on CKP side?

Route based it is not supported on vsx, right?

The final result is active/active VPN balancing traffic between the Fortigate side.

Tks,

Victor C

Wolfgang · ‎2023-11-06

More detailed description would be helpful.

I understand Fgt as Fortigate at the remote site. This requires the use of DPD (DeadPeerDetection) with third party VPN gateways. Follow VPN redundancy does not work when establishing an IPsec VPN Tunnel with a third-party peer to configure.

victor_cortez · ‎2023-11-06

I want active/active balancing traffic through both Fortigates A and B.

Wolfgang · ‎2023-11-07

I believe load balancing is not possible with third party.

Chris_Atkinson · ‎2023-11-06

Route based (VTI) is supported on VSX with dynamic routing (BGP) in R81.x

CCSM R77/R80/ELITE

Are you a member of CheckMates?