FortiGate-6000 IPsec VPN
This chapter highlights special FortiGate-6000 VPN features and configurations.
New IPsec VPN features
FortiOS 5.6 includes the following IPsec VPN improvements:
- Including a phase 2 selector is no longer mandatory.
- Dynamic routing (RIP, OSPF, BGP) is supported over IPsec VPN tunnels.
IPsec VPN features supported by FortiOS 5.6 for FortiGate-6000
FortiOS 5.6 for FortiGate-6000 supports the following IPsec VPN features:
- Interface-based IPsec VPN (also called route-based IPsec VPN) is supported.
- Static routes can point at IPsec VPN interfaces.
- Dynamic routing (RIP, OSPF, BGP) over IPsec VPN tunnels is supported; however, the FortiGate-6000 does not support IPsec VPN load balancing of IPsec VPN sessions that use dynamic routing over IPsec VPN tunnels.
- Remote networks with 16- to 32-bit netmasks are supported.
- IPsec VPN tunnels must terminate on the primary (master) FPC.
- Site-to-Site IPsec VPN is supported.
- Dialup IPsec VPN is supported. The FortiGate-6000 can be the dialup server or client.
- IPv4 clear-text traffic (IPv4 over IPv4 or IPv4 over IPv6) is supported.
IPsec VPN features not supported by FortiOS 5.6 for FortiGate-6000
FortiOS 5.6 for FortiGate-6000 does not support the following IPsec VPN features:
- Policy-based IPsec VPN is not supported. Only tunnel or interface mode IPsec VPN is supported.
- Policy routes cannot be used for communication over IPsec VPN tunnels.
- Remote networks with 0- to 15-bit netmasks are not supported. Remote networks with 16- to 32-bit netmasks are supported.
- IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
- Load balancing IPsec VPN tunnels to multiple FPCs is not supported.
- IPsec SA synchronization between HA peers is not supported. After an HA failover, IPsec VPN tunnels have to be re-initialized.