Fortinet black logo

FortiGate-7000F Handbook

FortiGate-7000F IPsec VPN

Copy Link
Copy Doc ID 7c49437d-9280-11eb-b70b-00505692583a:813847
Download PDF

FortiGate-7000F IPsec VPN

The following notes and limitations apply to FortiGate-7000F IPsec VPNs:

  • Interface-based IPsec VPN (also called route-based IPsec VPN) is supported. Policy-based IPsec VPN is not supported.
  • All traffic for a given IPsec VPN tunnel is terminated on a single FPM.
  • If the IPsec VPN interface uses static routing, the FortiGate-7000F uses load balancing to select an FPM to terminate traffic for a new tunnel instance and all traffic for that tunnel instance is terminated on the same FPM. You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPM to terminate all tunnel instances started by that phase 1.
  • If the IPsec VPN interface includes dynamic routing, all tunnel instances using that interface are terminated on the primary FPM.
  • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPMs in the chassis, or in both chassis in an HA configuration.
  • Site-to-Site IPsec VPN is supported.
  • Dialup IPsec VPN is supported. The FortiGate-7000F can be the dialup server or client.
  • Static routes can point at IPsec VPN interfaces and can be used for routing the traffic inside IPsec VPN tunnels.
  • Policy routes cannot be used for communication over IPsec VPN tunnels.
  • VRF routes cannot be used for communication over IPsec VPN tunnels.
  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
  • IPsec SA synchronization between HA peers is supported.
  • Dynamic routing (RIP, OSPF, BGP) over IPsec VPN tunnels is supported.
  • Traffic between IPsec VPN tunnels is supported.

FortiGate-7000F IPsec VPN

The following notes and limitations apply to FortiGate-7000F IPsec VPNs:

  • Interface-based IPsec VPN (also called route-based IPsec VPN) is supported. Policy-based IPsec VPN is not supported.
  • All traffic for a given IPsec VPN tunnel is terminated on a single FPM.
  • If the IPsec VPN interface uses static routing, the FortiGate-7000F uses load balancing to select an FPM to terminate traffic for a new tunnel instance and all traffic for that tunnel instance is terminated on the same FPM. You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPM to terminate all tunnel instances started by that phase 1.
  • If the IPsec VPN interface includes dynamic routing, all tunnel instances using that interface are terminated on the primary FPM.
  • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPMs in the chassis, or in both chassis in an HA configuration.
  • Site-to-Site IPsec VPN is supported.
  • Dialup IPsec VPN is supported. The FortiGate-7000F can be the dialup server or client.
  • Static routes can point at IPsec VPN interfaces and can be used for routing the traffic inside IPsec VPN tunnels.
  • Policy routes cannot be used for communication over IPsec VPN tunnels.
  • VRF routes cannot be used for communication over IPsec VPN tunnels.
  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
  • IPsec SA synchronization between HA peers is supported.
  • Dynamic routing (RIP, OSPF, BGP) over IPsec VPN tunnels is supported.
  • Traffic between IPsec VPN tunnels is supported.