Fortinet black logo

FortiGate-6000 and FortiGate-7000 Release Notes

IPsec VPN notes and limitations

IPsec VPN notes and limitations

FortiGate-6000 and 7000 for FortiOS 6.2.7 FortiOS 6.2.7 supports the following features for IPsec VPN tunnels terminated by the FortiGate:

  • Interface-based IPsec VPN (also called route-based IPsec VPN) is supported. Policy-based IPsec VPN is not supported.

  • Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels is supported.

  • The FortiGate-6000 and 7000 use load balancing to select an FPC or FPM to terminate traffic for a new tunnel instance and all traffic for that tunnel instance is terminated on the same FPC or FPM. You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPC or FPM to terminate all tunnel instances started by that phase 1.

  • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPCs or FPMs in the FortiGate-6000 or 7000, or in both FortiGate-6000s and 7000s in an HA configuration.

  • Site-to-Site IPsec VPN is supported.

  • Dialup IPsec VPN is supported. The FortiGate-6000 or 7000 can be the dialup server or client.

  • Policy routes cannot be used for communication over IPsec VPN tunnels.

  • VRF routes cannot be used for communication over IPsec VPN tunnels.

  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.

  • IPsec SA synchronization between HA peers is supported.

  • Traffic between IPsec VPN tunnels is supported.

IPsec VPN notes and limitations

FortiGate-6000 and 7000 for FortiOS 6.2.7 FortiOS 6.2.7 supports the following features for IPsec VPN tunnels terminated by the FortiGate:

  • Interface-based IPsec VPN (also called route-based IPsec VPN) is supported. Policy-based IPsec VPN is not supported.

  • Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels is supported.

  • The FortiGate-6000 and 7000 use load balancing to select an FPC or FPM to terminate traffic for a new tunnel instance and all traffic for that tunnel instance is terminated on the same FPC or FPM. You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPC or FPM to terminate all tunnel instances started by that phase 1.

  • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPCs or FPMs in the FortiGate-6000 or 7000, or in both FortiGate-6000s and 7000s in an HA configuration.

  • Site-to-Site IPsec VPN is supported.

  • Dialup IPsec VPN is supported. The FortiGate-6000 or 7000 can be the dialup server or client.

  • Policy routes cannot be used for communication over IPsec VPN tunnels.

  • VRF routes cannot be used for communication over IPsec VPN tunnels.

  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.

  • IPsec SA synchronization between HA peers is supported.

  • Traffic between IPsec VPN tunnels is supported.