Fortinet black logo

FortiGate-7000 Handbook

FortiGate-7000 IPsec VPN

Copy Link
Copy Doc ID 3c44971b-ce74-11e9-8977-00505692583a:813847
Download PDF

FortiGate-7000 IPsec VPN

FortiOS 6.0 for FortiGate-7000 supports the following IPsec VPN features:

  • Interface-based IPsec VPN (also called route-based IPsec VPN) is supported.
  • Static routes can point at IPsec VPN interfaces and can be used for routing the traffic inside the IPsec VPN tunnel.
  • Dynamic routing (RIP, OSPF, BGP) over IPsec VPN tunnels is supported.
  • Remote networks with 16- to 32-bit netmasks are supported.
  • Site-to-Site IPsec VPN is supported.
  • Dialup IPsec VPN is supported. The FortiGate-7000 can be the dialup server or client.
  • IPv4 clear-text traffic (IPv4 over IPv4 or IPv4 over IPv6) is supported.

FortiOS 6.0 for FortiGate-7000 does not support the following IPsec VPN features:

  • Policy-based IPsec VPN is not supported. Only tunnel or interface mode IPsec VPN is supported.
  • Policy routes cannot be used for communication over IPsec VPN tunnels.
  • VRF routes cannot be used for communication over IPsec VPN tunnels.
  • Remote networks with 0- to 15-bit netmasks are not supported. Remote networks with 16- to 32-bit netmasks are supported.
  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
  • Load-balancing IPsec VPN tunnels to multiple FPMs is not supported. IPsec VPN load balancing should be disabled and by default no flow rules are required and all IPsec VPN traffic is handled by the primary FPM.
  • IPsec SA synchronization between HA peers is not supported. After an HA failover, IPsec VPN tunnels have to be re-initialized.

FortiGate-7000 IPsec VPN

FortiOS 6.0 for FortiGate-7000 supports the following IPsec VPN features:

  • Interface-based IPsec VPN (also called route-based IPsec VPN) is supported.
  • Static routes can point at IPsec VPN interfaces and can be used for routing the traffic inside the IPsec VPN tunnel.
  • Dynamic routing (RIP, OSPF, BGP) over IPsec VPN tunnels is supported.
  • Remote networks with 16- to 32-bit netmasks are supported.
  • Site-to-Site IPsec VPN is supported.
  • Dialup IPsec VPN is supported. The FortiGate-7000 can be the dialup server or client.
  • IPv4 clear-text traffic (IPv4 over IPv4 or IPv4 over IPv6) is supported.

FortiOS 6.0 for FortiGate-7000 does not support the following IPsec VPN features:

  • Policy-based IPsec VPN is not supported. Only tunnel or interface mode IPsec VPN is supported.
  • Policy routes cannot be used for communication over IPsec VPN tunnels.
  • VRF routes cannot be used for communication over IPsec VPN tunnels.
  • Remote networks with 0- to 15-bit netmasks are not supported. Remote networks with 16- to 32-bit netmasks are supported.
  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
  • Load-balancing IPsec VPN tunnels to multiple FPMs is not supported. IPsec VPN load balancing should be disabled and by default no flow rules are required and all IPsec VPN traffic is handled by the primary FPM.
  • IPsec SA synchronization between HA peers is not supported. After an HA failover, IPsec VPN tunnels have to be re-initialized.