FortiGate-6000 IPsec VPN
The following notes and limitations apply to FortiGate-6000 IPsec VPNs for FortiOS 6.0.8:
- Site-to-Site IPsec VPN is supported.
- Dialup IPsec VPN is supported. The FortiGate-6000 or 7000 can be the dialup server or client.
- Interface-based IPsec VPN (also called route-based IPsec VPN) is supported. Policy-based IPsec VPN is not supported.
- Static routes can point at IPsec VPN interfaces and can be used for routing the traffic inside IPsec VPN tunnels.
- Policy routes cannot be used for communication over IPsec VPN tunnels.
- VRF routes cannot be used for communication over IPsec VPN tunnels.
- Remote networks with 0- to 15-bit netmasks are not supported. Remote networks with 16- to 32-bit netmasks are supported.
- IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
- IPsec SA synchronization between HA peers is not supported. After an HA failover, IPsec VPN tunnels have to be re-initialized.
- The FortiGate-6000 supports load balancing IPsec VPN tunnels to multiple FPCs as long as only static routes are used over the IPsec VPN tunnels.
- If FortiGate-6000 IPsec VPN load balancing is not enabled, you can use static or dynamic routing (RIP, OSPF, BGP) over IPsec VPN tunnels.
- With FortiGate-6000 IPsec VPN load balancing enabled, the FortiGate-6000 DP3 processor terminates individual IPsec VPN tunnels on different FPCs. All traffic to and from a specific tunnel is processed by the same FPC. Individual tunnel SAs are not synchronized to other FPCs. One result of this setup is that traffic cannot travel between two tunnels since the two tunnels could be terminated on different FPCs. With IPsec load balancing enabled, traffic cannot travel between two IPsec VPN tunnels.
- Traffic between two IPsec VPN tunnels is supported if load balancing is disabled. In this case, all IPsec VPN tunnels are terminated on the primary FPC and traffic between IPsec VPN tunnels is supported.