Fortinet white logo
Fortinet white logo

FortiGate-6000 Handbook

FortiGate 6000F IPsec VPN

FortiGate 6000F IPsec VPN

The FortiGate 6000F uses SLBC load balancing to select an FPC to terminate traffic for a new IPsec VPN tunnel instance and all traffic for that tunnel instance is terminated on the same FPC.

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {auto | FPC1 | FPC2 | FPC3 | FPC4 | FPC5 | FPC6 | FPC7 | FPC8 | FPC9 | FPC10 | master}

end

You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPC to terminate all tunnel instances started by that phase 1. For example, to terminate all tunnels on FPC5:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot FPC5

end

FortiGate 6000F IPsec VPN supports the following features:

  • Interface-based IPsec VPN (also called route-based IPsec VPN).

  • Site-to-Site IPsec VPN.

  • Dialup IPsec VPN. The FortiGate 6000F can be the dialup server or client.

  • Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.

  • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPCs in the FortiGate 6000F, or in both FortiGate 6000Fs in an HA configuration.

  • Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPC.

  • When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPC.

FortiGate 6000F IPsec VPN has the following limitations:

  • Policy-based IPsec VPN tunnels terminated by the FortiGate 6000F are not supported.

  • Policy routes cannot be used for communication over IPsec VPN tunnels.

  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.

  • IPsec SA synchronization between FGSP HA peers is not supported.

  • When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.

  • The FortiGate 6000F, because it uses DP processors for SLBC, does not support IPsec VPN to remote networks with 0- to 15-bit netmasks.

  • UDP-encapsulated ESP (UESP) sessions that use the normal IKE port (port 4500) are load balanced by the DP3 processor in the same way as normal IPSec traffic. You can use the ipsec-tunnel-slot option when creating a phase 1 configuration to control how UESP tunnels are load balanced. However, if UESP sessions use a custom IKE port, the DP3 processor does not handle them as IPsec packets. Instead , they are load balanced by the DP3 processor in the same way as any other traffic. If required, you can adjust load balance settings or add a flow rule for UESP sessions using a custom IKE port.

FortiGate 6000F IPsec VPN

FortiGate 6000F IPsec VPN

The FortiGate 6000F uses SLBC load balancing to select an FPC to terminate traffic for a new IPsec VPN tunnel instance and all traffic for that tunnel instance is terminated on the same FPC.

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {auto | FPC1 | FPC2 | FPC3 | FPC4 | FPC5 | FPC6 | FPC7 | FPC8 | FPC9 | FPC10 | master}

end

You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPC to terminate all tunnel instances started by that phase 1. For example, to terminate all tunnels on FPC5:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot FPC5

end

FortiGate 6000F IPsec VPN supports the following features:

  • Interface-based IPsec VPN (also called route-based IPsec VPN).

  • Site-to-Site IPsec VPN.

  • Dialup IPsec VPN. The FortiGate 6000F can be the dialup server or client.

  • Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.

  • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPCs in the FortiGate 6000F, or in both FortiGate 6000Fs in an HA configuration.

  • Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPC.

  • When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPC.

FortiGate 6000F IPsec VPN has the following limitations:

  • Policy-based IPsec VPN tunnels terminated by the FortiGate 6000F are not supported.

  • Policy routes cannot be used for communication over IPsec VPN tunnels.

  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.

  • IPsec SA synchronization between FGSP HA peers is not supported.

  • When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.

  • The FortiGate 6000F, because it uses DP processors for SLBC, does not support IPsec VPN to remote networks with 0- to 15-bit netmasks.

  • UDP-encapsulated ESP (UESP) sessions that use the normal IKE port (port 4500) are load balanced by the DP3 processor in the same way as normal IPSec traffic. You can use the ipsec-tunnel-slot option when creating a phase 1 configuration to control how UESP tunnels are load balanced. However, if UESP sessions use a custom IKE port, the DP3 processor does not handle them as IPsec packets. Instead , they are load balanced by the DP3 processor in the same way as any other traffic. If required, you can adjust load balance settings or add a flow rule for UESP sessions using a custom IKE port.