IPSec set up IPSec
DH group
1 (modp768), 2 (modp1024), 5 (modp1536), 14 (modp2048)
Transmission mode
Tunnel mode and limited Transport mode. Transport mode is only available for
Tunnel Routing.
Security protocol
Support Encapsulating Security Payload (ESP) only
NAT traversal
Not Support
DPD
Support
PFS
Support
IP deployment Support static IPv4 only, the supported WAN link types (See "Configuring your
WAN"):
l Routing mode
l Bridge Mode: One Static IP
l Bridge Mode: Multiple Static IP
IPv6
Not Support
Peer device
Support FortiWAN/FortiGate
Fail over
Not Support (Both IPSec Tunnel mode and Transport mode themselves have no
ability to do fail over, only Tunnel Routing over IPSec Transport mode supports
fail over)
Tunnel mode, Transport mode and Tunnel Routing
FortiWAN provides standard Tunnel mode to build IPSec VPN as the previous descriptions. By encapsulating the
encrypted packet with a new IP header, a tunnel is established between two FortiWAN units so that IPSec packets can
be delivered to the private networks deployed behind the two units through Internet (the public and untrusted network).
This is what called IPsec VPN typically. Compare with FortiWAN's Tunnel Routing, IPSec Tunnel mode can also
establish multiple tunnels through different WAN ports (WAN interfaces) between two FortiWAN units, but bandwidth
aggregation and fault tolerance are not available for the IPSec VPN transmission. It is unable to distribute the IPSec
packets of a connection or the connections of a specified group over multiple IPSec tunnels; they are delivered through
one of the tunnels fixedly.
Although FortiWAN's Tunnel Routing (See "Tunnel Routing") is the technology to distribute packets of one tunneling
connection over multiple tunnels (bandwidth aggregation and fault tolerance are so that supported), it does not provide
strict protection to the tunneling communications (the encryption function built-in Tunnel Routing is very simple and
low security). For this reason, the major purpose of FortiWAN's IPSec Transport mode is to provide Tunnel Routing
transmissions an IPSec protection. Actually, the FortiWAN's IPSec Transport mode is designed for Tunnel Routing
only; an Transport mode IPSec SA can not be applied to the traffic except Tunnel Routing. By establishing an IPSec
SA on every TR tunnel, Tunnel Routing's GRE packets will be encrypted (ESP encapsulated) and be transferred
through the specified interface (according to the specified TR algorithm) in IPSec Transport mode (the original routing
of the GRE packet remains intact as the previous description). The ESP packets are decrypted on the opposite
FortiWAN Handbook
Fortinet Technologies Inc.
179
To Next Page
Loading...
