Fortinet black logo

FortiGate-6000 and FortiGate-7000 Release Notes

Home FortiGate / FortiOS 6.2.7 FortiGate-6000 and FortiGate-7000 Release Notes

Dynamic routing over IPsec VPN tunnels

6.2.7
7.0.15
7.0.14
7.0.13
7.0.12
7.0.10
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.10
6.4.8
6.4.6
6.4.2
6.2.16
6.2.15
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.7
6.2.6
6.2.4
6.2.3
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
Copy Link
Copy Doc ID d7beab06-e8e9-11eb-97f7-00505692583a:885619
Download PDF

Dynamic routing over IPsec VPN tunnels

The FortiGate-6000 and 7000 for FortiOS 6.2.7 use SLBC load balancing to select an FPC or FPM to terminate traffic for a new IPsec VPN tunnel instance and all traffic for that tunnel instance is terminated on the same FPC or FPM.

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {auto | <FPC-slot/FPM-slot> | master}

end

You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPC or FPM to terminate all tunnel instances started by that phase 1. For example, to terminate all tunnels on FPM5 of a FortiGate-7000E:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot FPM5

end

IPsec VPN for FortiGate-6000 and 7000 for FortiOS 6.2.7 supports the following features:

  • Interface-based IPsec VPN (also called route-based IPsec VPN).

  • Site-to-Site IPsec VPN.

  • Dialup IPsec VPN. The FortiGate-6000 or 7000 can be the dialup server or client.

  • Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.

  • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPCs or FPMs in the FortiGate-6000 or 7000, or in both FortiGate-6000s or 7000s in an HA configuration.

  • Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPC or FPM.

  • When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPC or FPM.

  • The FortiGate-7000F, because it uses NP7 processors for SLBC, supports IPsec VPN to remote networks with 0- to 15-bit netmasks.

IPsec VPN for FortiGate-6000 and 7000 for FortiOS 6.2.7 has the following limitations:

  • Policy-based IPsec VPN tunnels terminated by the FortiGate-6000 or 7000 are not supported.

  • Policy routes cannot be used for communication over IPsec VPN tunnels.

  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.

  • IPsec SA synchronization between FGSP HA peers is not supported.

  • When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.

  • Platforms with DP processors (FortiGate-6000F and FortiGate-7000E) do not support IPsec VPN to remote networks with 0- to 15-bit netmasks.

Previous
Next

Dynamic routing over IPsec VPN tunnels

The FortiGate-6000 and 7000 for FortiOS 6.2.7 use SLBC load balancing to select an FPC or FPM to terminate traffic for a new IPsec VPN tunnel instance and all traffic for that tunnel instance is terminated on the same FPC or FPM.

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {auto | <FPC-slot/FPM-slot> | master}

end

You can optionally use the IPsec tunnel phase 1 configuration to select a specific FPC or FPM to terminate all tunnel instances started by that phase 1. For example, to terminate all tunnels on FPM5 of a FortiGate-7000E:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot FPM5

end

IPsec VPN for FortiGate-6000 and 7000 for FortiOS 6.2.7 supports the following features:

  • Interface-based IPsec VPN (also called route-based IPsec VPN).

  • Site-to-Site IPsec VPN.

  • Dialup IPsec VPN. The FortiGate-6000 or 7000 can be the dialup server or client.

  • Static and dynamic routing (BGP, OSPF, and RIP) over IPsec VPN tunnels.

  • When an IPsec VPN tunnel is initialized, the SA is synchronized to all FPCs or FPMs in the FortiGate-6000 or 7000, or in both FortiGate-6000s or 7000s in an HA configuration.

  • Traffic between IPsec VPN tunnels is supported when both tunnels terminate on the same FPC or FPM.

  • When setting up a VRF configuration to send traffic between two IPsec VPN interfaces with different VRFs, both IPsec tunnels must terminate on the same FPC or FPM.

  • The FortiGate-7000F, because it uses NP7 processors for SLBC, supports IPsec VPN to remote networks with 0- to 15-bit netmasks.

IPsec VPN for FortiGate-6000 and 7000 for FortiOS 6.2.7 has the following limitations:

  • Policy-based IPsec VPN tunnels terminated by the FortiGate-6000 or 7000 are not supported.

  • Policy routes cannot be used for communication over IPsec VPN tunnels.

  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.

  • IPsec SA synchronization between FGSP HA peers is not supported.

  • When setting up an IPsec VPN VLAN interface, do not set the VLAN ID to 1. This VLAN ID is reserved by FortiOS. Any configurations that use a VLAN with VLAN ID = 1 will not work as expected.

  • Platforms with DP processors (FortiGate-6000F and FortiGate-7000E) do not support IPsec VPN to remote networks with 0- to 15-bit netmasks.

Previous
Next