FortiGate-7000 IPsec VPN
The following notes and limitations apply to FortiGate-7000 IPsec VPNs for FortiOS 5.4:
- Site-to-Site IPsec VPN is supported.
- Interface-based IPsec VPN (also called route-based IPsec VPN) is supported. Policy-based IPsec VPN is not supported.
- IPsec tunnels are not load-balanced across the FPMs, all IPsec tunnel sessions are sent to the primary (master) FPM.
- Traffic between IPsec VPN tunnels is supported.
-
Phase 2 selectors are required to specify the IP addresses and netmasks of the source and destination subnets of the VPN. For more information, see Adding source and destination subnets to IPsec VPN phase 2 configurations.
- Remote networks with 0- to 15-bit netmasks are not supported. Remote networks with 16- to 32-bit netmasks are supported.
- IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
- Dialup IPsec VPN is supported. The FortiGate-7000 can be the dialup server or client.
- Dynamic routing and policy routing is not supported for IPsec interfaces.
- IPsec static routes don't consider distance, weight, priority settings. IPsec static routes are always installed in the routing table, regardless of the tunnel state.
- Auto-negotiate is not supported for IPsec VPN phase 2 configurations. IPsec VPN tunnels should not be started by the FortiGate-7000 because this could lead to every FPM attempting to start an IPsec VPN tunnel with the same remote device.
- IPsec SA synchronization between HA peers is not supported. After an HA failover, IPsec VPN tunnels have to be re-initialized.