Fortinet black logo

FortiGate-7000E Handbook

FortiGate-7000 IPsec VPN

FortiGate-7000 IPsec VPN

The following notes and limitations apply to FortiGate-7000 IPsec VPNs:

  • Site-to-Site IPsec VPN is supported.
  • Dialup IPsec VPN is supported. The FortiGate-7000 can be the dialup server or client.
  • Interface-based IPsec VPN (also called route-based IPsec VPN) is supported. Policy-based IPsec VPN is not supported.
  • Static routes can point at IPsec VPN interfaces and can be used for routing the traffic inside IPsec VPN tunnels.
  • Policy routes cannot be used for communication over IPsec VPN tunnels.
  • VRF routes cannot be used for communication over IPsec VPN tunnels.
  • Remote networks with 0- to 15-bit netmasks are not supported. Remote networks with 16- to 32-bit netmasks are supported.
  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
  • IPsec SA synchronization between HA peers is not supported. After an HA failover, IPsec VPN tunnels have to be re-initialized.
  • Dynamic routing (RIP, OSPF, BGP) over IPsec VPN tunnels is supported.
  • The FortiGate-7000 does not support load-balancing IPsec VPN tunnels to multiple FPMs.
  • All IPsec VPN tunnels are terminated on the primary FPM and traffic between IPsec VPN tunnels is supported.
  • IPsec aggregate (used for IPsec VPN redundancy and load balancing) is not supported.

FortiGate-7000 IPsec VPN

The following notes and limitations apply to FortiGate-7000 IPsec VPNs:

  • Site-to-Site IPsec VPN is supported.
  • Dialup IPsec VPN is supported. The FortiGate-7000 can be the dialup server or client.
  • Interface-based IPsec VPN (also called route-based IPsec VPN) is supported. Policy-based IPsec VPN is not supported.
  • Static routes can point at IPsec VPN interfaces and can be used for routing the traffic inside IPsec VPN tunnels.
  • Policy routes cannot be used for communication over IPsec VPN tunnels.
  • VRF routes cannot be used for communication over IPsec VPN tunnels.
  • Remote networks with 0- to 15-bit netmasks are not supported. Remote networks with 16- to 32-bit netmasks are supported.
  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
  • IPsec SA synchronization between HA peers is not supported. After an HA failover, IPsec VPN tunnels have to be re-initialized.
  • Dynamic routing (RIP, OSPF, BGP) over IPsec VPN tunnels is supported.
  • The FortiGate-7000 does not support load-balancing IPsec VPN tunnels to multiple FPMs.
  • All IPsec VPN tunnels are terminated on the primary FPM and traffic between IPsec VPN tunnels is supported.
  • IPsec aggregate (used for IPsec VPN redundancy and load balancing) is not supported.