Skip to main content
ehsangha
ehsangha
Explorer II
September 15, 2025
Question

Fortigate Policy for IPsec

  • September 15, 2025
  • 3 replies
  • 472 views

Greetings, all. I have 60 site-to-site IPsec tunnels, and in order to create a policy for each one, I will need to write numerous policies due to the varied zones. I am inquiring as to what the most effective practices are at this time. Should I establish Zones or Interface Groups or enable multiple interface policies?

3 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
September 15, 2025

If all IPsec site-to-site VPN need to have the same policy, which is most likely the case, you can put all of them in one zone so that you need to have only one pair of policies, inbound and outbound, for all IPsecs. That's what we do for hundreds of IPsecs per our customer.

Toshi

makilra2
makilra2
New Member
September 15, 2025

Having the same issue. Add user and “all” for the IP object under source, but no dice. Tried adding the IPSec subnet too, still no go. Does it not work for local users?

jiahoong112
Staff
jiahoong112
Staff
September 15, 2025

what do you mean by this? could you please provide a screenshot?

jiahoong112
Staff
jiahoong112
Staff
September 15, 2025

I'd suggest going for Zones in your case: https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/116821/zone 

If you go with Multiple Interface Policies, it can get messy very quickly. Please keep in mind that to add an ipsec tunnel to a Zone, it must not yet be referenced by any other firewall policies. 

Terms & ConditionsAccessibility statement