Dynamic routing over IPsec VPN tunnels
The FortiGate-6000 and 7000 for FortiOS 6.2.7 use SLBC load balancing to select an FPC or FPM to terminate traffic for a new IPsec VPN tunnel instance and all traffic for that tunnel instance is terminated on the same FPC or FPM.
config vpn ipsec phase1-interface
edit <name>
set ipsec-tunnel-slot {auto | <FPC-slot/FPM-slot> | master}
end
You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPC or FPM to terminate all tunnel instances started by that phase 1. For example, to terminate all tunnels on FPM5 of a FortiGate-7000E:
config vpn ipsec phase1-interface
edit <name>
set ipsec-tunnel-slot FPM5
end
IPsec VPN for FortiGate-6000 and 7000 for FortiOS 6.2.7 supports the following features:
-
Interface-based IPsec VPN (also called route-based IPsec VPN).
-
Site-to-Site IPsec VPN.
-
Dialup IPsec VPN. The FortiGate-6000 or 7000 can be the dialup server or client.
-
Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.
-
When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPCs or FPMs in the FortiGate-6000 or 7000, or in both FortiGate-6000s or 7000s in an HA configuration.
-
Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPC or FPM.
-
When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPC or FPM.
-
The FortiGate-7000F, because it uses NP7 processors for SLBC, supports IPsec VPN to remote networks with 0- to 15-bit netmasks.
IPsec VPN for FortiGate-6000 and 7000 for FortiOS 6.2.7 has the following limitations:
-
Policy-based IPsec VPN tunnels terminated by the FortiGate-6000 or 7000 are not supported.
-
Policy routes cannot be used for communication over IPsec VPN tunnels.
-
IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
-
IPsec SA synchronization between FGSP HA peers is not supported.
-
When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.
-
Platforms with DP processors (FortiGate-6000F and FortiGate-7000E) do not support IPsec VPN to remote networks with 0- to 15-bit netmasks.