Solved
VPN tunnel and interface mode
Hi everybody,
The VPN section is divided in to two groups: tunnel mode and interface mode.
Which is the difference between to the two?
Thank you.
From a remote end, there will be no difference in how the IPSec tunnel is presented. From the Fortigate end, there is a world of difference. Early in the Fortigate firmware releases, the tunnel mode was the default. It was easy to set up and the routing was handled behind the scenes by the Fortigate itself. There was a major limitation though: you could only route traffic to the subnet directly behind the remote unit. If there was a subnet outside of the remote unit's direct access, it would be unreachable.
With interface mode IPSec tunnels, the definition is a physical interface that can be treated like any local Fortigate interface. You can now create a static route to that interface for networks beyond the remote device's reach. Using NAT on an interface based IPSec tunnel is more straightforward as well. This is now the default configuration when creating tunnels. The older route based (type=ENCRYPT in the policies) is now considered legacy and is more or less not being used. It does still work and can be used, but I would suggest against it, mostly for debug purposes.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.