Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate-7000F Handbook

    Home FortiGate-7000 6.4.13 FortiGate-7000F Handbook
    6.4.13
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.10
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.10
    6.4.8
    6.4.6
    6.2.16
    6.2.16
    6.2.15
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.7
    6.2.6

    FortiGate-7000F IPsec VPN

    FortiGate-7000F IPsec VPN

    FortiGate-7000F uses SLBC load balancing to select an FPM to terminate traffic for a new IPsec VPN tunnel instance and all traffic for that tunnel instance is terminated on the same FPM.

    config vpn ipsec phase1-interface

    edit <name>

    set ipsec-tunnel-slot {auto | FPM3 | FPM4 | FPM5 | FPM6 | FPM7 | FPM8 | FPM9 | FPM10 | FPM11 | FPM12 | master}

    end

    You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPM to terminate all tunnel instances started by that phase 1. For example, to terminate all tunnels on FPM5:

    config vpn ipsec phase1-interface

    edit <name>

    set ipsec-tunnel-slot FPM5

    end

    FortiGate-7000F IPsec VPN supports the following features:

    • Interface-based IPsec VPN (also called route-based IPsec VPN).

    • Site-to-Site IPsec VPN.

    • Dialup IPsec VPN. The FortiGate-7000F can be the dialup server or client.

    • Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.

    • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPMs in the FortiGate-7000F, or in both FortiGate-7000Fs in an HA configuration.

    • Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPM.

    • When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPM. Use the ipsec-tunnel-slot option in each IPsec VPN phase 1-interface configuration to terminate both phase 1s on the same FPM.

    • The FortiGate-7000F, because it uses NP7 processors for SLBC, supports IPsec VPN to remote networks with 0- to 15-bit netmasks.

    FortiGate-7000F IPsec VPN has the following limitations:

    • Policy-based IPsec VPN tunnels terminated by the FortiGate-7000F are not supported.

    • Policy routes cannot be used for communication over IPsec VPN tunnels.

    • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.

    • IPsec SA synchronization between FGSP HA peers is not supported.

    • When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.

    Previous
    Next

    FortiGate-7000F IPsec VPN

    FortiGate-7000F IPsec VPN

    FortiGate-7000F uses SLBC load balancing to select an FPM to terminate traffic for a new IPsec VPN tunnel instance and all traffic for that tunnel instance is terminated on the same FPM.

    config vpn ipsec phase1-interface

    edit <name>

    set ipsec-tunnel-slot {auto | FPM3 | FPM4 | FPM5 | FPM6 | FPM7 | FPM8 | FPM9 | FPM10 | FPM11 | FPM12 | master}

    end

    You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPM to terminate all tunnel instances started by that phase 1. For example, to terminate all tunnels on FPM5:

    config vpn ipsec phase1-interface

    edit <name>

    set ipsec-tunnel-slot FPM5

    end

    FortiGate-7000F IPsec VPN supports the following features:

    • Interface-based IPsec VPN (also called route-based IPsec VPN).

    • Site-to-Site IPsec VPN.

    • Dialup IPsec VPN. The FortiGate-7000F can be the dialup server or client.

    • Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.

    • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPMs in the FortiGate-7000F, or in both FortiGate-7000Fs in an HA configuration.

    • Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPM.

    • When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPM. Use the ipsec-tunnel-slot option in each IPsec VPN phase 1-interface configuration to terminate both phase 1s on the same FPM.

    • The FortiGate-7000F, because it uses NP7 processors for SLBC, supports IPsec VPN to remote networks with 0- to 15-bit netmasks.

    FortiGate-7000F IPsec VPN has the following limitations:

    • Policy-based IPsec VPN tunnels terminated by the FortiGate-7000F are not supported.

    • Policy routes cannot be used for communication over IPsec VPN tunnels.

    • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.

    • IPsec SA synchronization between FGSP HA peers is not supported.

    • When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.

    Previous
    Next