Fortinet black logo

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000F Handbook

Download PDF
Copy Link

FortiGate-7000F IPsec VPN

FortiGate-7000F uses SLBC load balancing to select an FPM to terminate traffic for a new IPsec VPN tunnel instance and all traffic for that tunnel instance is terminated on the same FPM.

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {auto | FPM3 | FPM4 | FPM5 | FPM6 | FPM7 | FPM8 | FPM9 | FPM10 | FPM11 | FPM12 | master}

end

You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPM to terminate all tunnel instances started by that phase 1. For example, to terminate all tunnels on FPM5:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot FPM5

end

FortiGate-7000F IPsec VPN supports the following features:

  • Interface-based IPsec VPN (also called route-based IPsec VPN).

  • Site-to-Site IPsec VPN.

  • Dialup IPsec VPN. The FortiGate-7000F can be the dialup server or client.

  • Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.

  • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPMs in the FortiGate-7000F, or in both FortiGate-7000Fs in an HA configuration.

  • Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPM.

  • When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPM. Use the ipsec-tunnel-slot option in each IPsec VPN phase 1-interface configuration to terminate both phase 1s on the same FPM.

  • The FortiGate-7000F, because it uses NP7 processors for SLBC, supports IPsec VPN to remote networks with 0- to 15-bit netmasks.

FortiGate-7000F IPsec VPN has the following limitations:

  • Policy-based IPsec VPN tunnels terminated by the FortiGate-7000F are not supported.

  • Policy routes cannot be used for communication over IPsec VPN tunnels.

  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.

  • IPsec SA synchronization between FGSP HA peers is not supported.

  • When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.

  • UDP-encapsulated ESP (UESP) sessions that use the normal IKE port (port 4500) are load balanced by NP7 processors in the same way as normal IPSec traffic. You can use the ipsec-tunnel-slot option when creating a phase 1 configuration to control how UESP tunnels are load balanced. However, if UESP sessions use a custom IKE port, the NP7 processor does not handle them as IPsec packets. Instead , they are load balanced by the NP7 processor in the same way as any other traffic. If required, you can adjust load balance settings or add a flow rule for UESP sessions using a custom IKE port.

FortiGate-7000F IPsec VPN

FortiGate-7000F uses SLBC load balancing to select an FPM to terminate traffic for a new IPsec VPN tunnel instance and all traffic for that tunnel instance is terminated on the same FPM.

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {auto | FPM3 | FPM4 | FPM5 | FPM6 | FPM7 | FPM8 | FPM9 | FPM10 | FPM11 | FPM12 | master}

end

You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPM to terminate all tunnel instances started by that phase 1. For example, to terminate all tunnels on FPM5:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot FPM5

end

FortiGate-7000F IPsec VPN supports the following features:

  • Interface-based IPsec VPN (also called route-based IPsec VPN).

  • Site-to-Site IPsec VPN.

  • Dialup IPsec VPN. The FortiGate-7000F can be the dialup server or client.

  • Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.

  • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPMs in the FortiGate-7000F, or in both FortiGate-7000Fs in an HA configuration.

  • Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPM.

  • When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPM. Use the ipsec-tunnel-slot option in each IPsec VPN phase 1-interface configuration to terminate both phase 1s on the same FPM.

  • The FortiGate-7000F, because it uses NP7 processors for SLBC, supports IPsec VPN to remote networks with 0- to 15-bit netmasks.

FortiGate-7000F IPsec VPN has the following limitations:

  • Policy-based IPsec VPN tunnels terminated by the FortiGate-7000F are not supported.

  • Policy routes cannot be used for communication over IPsec VPN tunnels.

  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.

  • IPsec SA synchronization between FGSP HA peers is not supported.

  • When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.

  • UDP-encapsulated ESP (UESP) sessions that use the normal IKE port (port 4500) are load balanced by NP7 processors in the same way as normal IPSec traffic. You can use the ipsec-tunnel-slot option when creating a phase 1 configuration to control how UESP tunnels are load balanced. However, if UESP sessions use a custom IKE port, the NP7 processor does not handle them as IPsec packets. Instead , they are load balanced by the NP7 processor in the same way as any other traffic. If required, you can adjust load balance settings or add a flow rule for UESP sessions using a custom IKE port.