Fortinet black logo

FortiGate-7000E Handbook

FortiGate-7000E IPsec VPN

FortiGate-7000E IPsec VPN

The FortiGate-7000E uses SLBC load balancing to select an FPM to terminate traffic for a new IPsec VPN tunnel instance and all traffic for that tunnel instance is terminated on the same FPM.

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {auto | FPM3 | ... | FPMX | master}

end

You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPM to terminate all tunnel instances started by that phase 1. For example, to terminate all tunnels on FPM4:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot FPM4

end

FortiGate-7000E IPsec VPN supports the following features:

  • Interface-based IPsec VPN (also called route-based IPsec VPN).

  • Site-to-Site IPsec VPN.

  • Dialup IPsec VPN. The FortiGate-7000E can be the dialup server or client.

  • Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.

  • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPMs in the FortiGate-7000E, or in both FortiGate-7000Es in an HA configuration.

  • Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPM.

  • When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPM.

FortiGate-7000E IPsec VPN has the following limitations:

  • Policy-based IPsec VPN tunnels terminated by the FortiGate-7000E are not supported.

  • Policy routes cannot be used for communication over IPsec VPN tunnels.

  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.

  • IPsec SA synchronization between FGSP HA peers is not supported.

  • When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.

  • The FortiGate-7000E, because it uses DP processors for SLBC, does not support IPsec VPN to remote networks with 0- to 15-bit netmasks.

  • UDP-encapsulated ESP (UESP) sessions that use the normal IKE port (port 4500) are load balanced by the DP2 processor in the same way as normal IPSec traffic. You can use the ipsec-tunnel-slot option when creating a phase 1 configuration to control how UESP tunnels are load balanced. However, if UESP sessions use a custom IKE port, the DP2 processor does not handle them as IPsec packets. Instead , they are load balanced by the DP2 processor in the same way as any other traffic. If required, you can adjust load balance settings or add a flow rule for UESP sessions using a custom IKE port.

FortiGate-7000E IPsec VPN

The FortiGate-7000E uses SLBC load balancing to select an FPM to terminate traffic for a new IPsec VPN tunnel instance and all traffic for that tunnel instance is terminated on the same FPM.

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {auto | FPM3 | ... | FPMX | master}

end

You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPM to terminate all tunnel instances started by that phase 1. For example, to terminate all tunnels on FPM4:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot FPM4

end

FortiGate-7000E IPsec VPN supports the following features:

  • Interface-based IPsec VPN (also called route-based IPsec VPN).

  • Site-to-Site IPsec VPN.

  • Dialup IPsec VPN. The FortiGate-7000E can be the dialup server or client.

  • Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.

  • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPMs in the FortiGate-7000E, or in both FortiGate-7000Es in an HA configuration.

  • Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPM.

  • When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPM.

FortiGate-7000E IPsec VPN has the following limitations:

  • Policy-based IPsec VPN tunnels terminated by the FortiGate-7000E are not supported.

  • Policy routes cannot be used for communication over IPsec VPN tunnels.

  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.

  • IPsec SA synchronization between FGSP HA peers is not supported.

  • When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.

  • The FortiGate-7000E, because it uses DP processors for SLBC, does not support IPsec VPN to remote networks with 0- to 15-bit netmasks.

  • UDP-encapsulated ESP (UESP) sessions that use the normal IKE port (port 4500) are load balanced by the DP2 processor in the same way as normal IPSec traffic. You can use the ipsec-tunnel-slot option when creating a phase 1 configuration to control how UESP tunnels are load balanced. However, if UESP sessions use a custom IKE port, the DP2 processor does not handle them as IPsec packets. Instead , they are load balanced by the DP2 processor in the same way as any other traffic. If required, you can adjust load balance settings or add a flow rule for UESP sessions using a custom IKE port.