Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-6000 Handbook

FortiGate-6000 IPsec VPN

This chapter highlights special FortiGate-6000 VPN features and configurations.

New IPsec VPN features

FortiOS 5.6 includes the following IPsec VPN improvements:

  • Including a phase 2 selector is no longer mandatory.
  • Dynamic routing (RIP, OSPF, BGP) is supported over IPsec VPN tunnels.

IPsec VPN features supported by FortiOS 5.6 for FortiGate-6000

FortiOS 5.6 for FortiGate-6000 supports the following IPsec VPN features:

  • Interface-based IPsec VPN (also called route-based IPsec VPN) is supported.
  • Static routes can point at IPsec VPN interfaces.
  • Dynamic routing (RIP, OSPF, BGP) over IPsec VPN tunnels is supported; however, the FortiGate-6000 does not support IPsec VPN load balancing of IPsec VPN sessions that use dynamic routing over IPsec VPN tunnels.
  • Remote networks with 16- to 32-bit netmasks are supported.
  • IPsec VPN tunnels must terminate on the primary (master) FPC.
  • Site-to-Site IPsec VPN is supported.
  • Dialup IPsec VPN is supported. The FortiGate-6000 can be the dialup server or client.
  • IPv4 clear-text traffic (IPv4 over IPv4 or IPv4 over IPv6) is supported.

IPsec VPN features not supported by FortiOS 5.6 for FortiGate-6000

FortiOS 5.6 for FortiGate-6000 does not support the following IPsec VPN features:

  • Policy-based IPsec VPN is not supported. Only tunnel or interface mode IPsec VPN is supported.
  • Policy routes cannot be used for communication over IPsec VPN tunnels.
  • Remote networks with 0- to 15-bit netmasks are not supported. Remote networks with 16- to 32-bit netmasks are supported.
  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
  • Load balancing IPsec VPN tunnels to multiple FPCs is not supported.
  • IPsec SA synchronization between HA peers is not supported. After an HA failover, IPsec VPN tunnels have to be re-initialized.

FortiGate-6000 IPsec VPN

This chapter highlights special FortiGate-6000 VPN features and configurations.

New IPsec VPN features

FortiOS 5.6 includes the following IPsec VPN improvements:

  • Including a phase 2 selector is no longer mandatory.
  • Dynamic routing (RIP, OSPF, BGP) is supported over IPsec VPN tunnels.

IPsec VPN features supported by FortiOS 5.6 for FortiGate-6000

FortiOS 5.6 for FortiGate-6000 supports the following IPsec VPN features:

  • Interface-based IPsec VPN (also called route-based IPsec VPN) is supported.
  • Static routes can point at IPsec VPN interfaces.
  • Dynamic routing (RIP, OSPF, BGP) over IPsec VPN tunnels is supported; however, the FortiGate-6000 does not support IPsec VPN load balancing of IPsec VPN sessions that use dynamic routing over IPsec VPN tunnels.
  • Remote networks with 16- to 32-bit netmasks are supported.
  • IPsec VPN tunnels must terminate on the primary (master) FPC.
  • Site-to-Site IPsec VPN is supported.
  • Dialup IPsec VPN is supported. The FortiGate-6000 can be the dialup server or client.
  • IPv4 clear-text traffic (IPv4 over IPv4 or IPv4 over IPv6) is supported.

IPsec VPN features not supported by FortiOS 5.6 for FortiGate-6000

FortiOS 5.6 for FortiGate-6000 does not support the following IPsec VPN features:

  • Policy-based IPsec VPN is not supported. Only tunnel or interface mode IPsec VPN is supported.
  • Policy routes cannot be used for communication over IPsec VPN tunnels.
  • Remote networks with 0- to 15-bit netmasks are not supported. Remote networks with 16- to 32-bit netmasks are supported.
  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
  • Load balancing IPsec VPN tunnels to multiple FPCs is not supported.
  • IPsec SA synchronization between HA peers is not supported. After an HA failover, IPsec VPN tunnels have to be re-initialized.