what is the difference between ipsec tunnel mode and interface mode

Ipsec VPN are defined by one of 2 means; a fwpolicy that has the action of encrypt enabled in the policy or a regular fwpolicy that points thru a VPN tunnel that was named in your phase1 setup The latter will always have a " route" installed pointing to the remote lan/destination. It' s simply called a " route-based" vpn, while the former is called " policy-based" due to the actually policy enables the encryption for interesting traffic. This is a take-over from the early netscreen and juniper days btw

Hi One is also important: - Policy Mode (often not accelerated and slow) - Interface Mode (allways accelerated and fast as easy to implement and troubleshoot) Policy Mode should only be usef for interoberability devices. By standard up to 5.0.4 Interface Mode is the new standard for creating VPN' s on FGT. Before it was Policy Mode and within Phase 1 it has to be enabled otherwise autom Policy Mode. Acceleration of enryption can be checked by following command (example shows Interface Mode acceleration by Hardware not Software which is often or always used by Policy Mode): # diag vpn ipsec status All ipsec crypto devices in use: CP6 null: 0 0 des: 0 0 3des: 0 0 aes: 11342694 118453159 null: 0 0 md5: 0 0 sha1: 11342694 118453159 sha256: 0 0 sha384: 0 0 sha512: 0 0 SOFTWARE: null: 0 0 des: 0 0 3des: 0 0 aes: 0 0 null: 0 0 md5: 0 0 sha1: 0 0 sha256: 0 0 sha384: 0 0 sha512: 0 0 Hope this helps have fun Andrea

This comes from an mid range Fortigate FW with many policy based vpn tunnels in operation: diag vpn ipsec status All ipsec crypto devices in use: NP2-0 null: 0 0 des: 0 0 3des: 0 181260288 aes: 0 4992 aria: 0 0 seed: 0 0 null: 0 0 md5: 0 0 sha1: 0 181265280 sha256: 0 0 sha384: 0 0 sha512: 0 0 NPU HARDWARE null: 0 0 des: 0 0 3des: 0 0 aes: 0 0 aria: 0 0 seed: 0 0 null: 0 0 md5: 0 0 sha1: 0 0 sha256: 0 0 sha384: 0 0 sha512: 0 0 CP6 null: 0 0 des: 0 0 3des: 1151690363 1163873628 aes: 104992348 137069804 aria: 0 0 seed: 0 0 null: 0 0 md5: 3045848 3308060 sha1: 1253636863 1297635372 sha256: 0 0 sha384: 0 0 sha512: 0 0 SOFTWARE: null: 0 0 des: 0 0 3des: 0 0 aes: 0 0 aria: 0 0 seed: 0 0 null: 0 0 md5: 0 0 sha1: 0 0 sha256: 0 0 sha384: 0 0 sha512: 0 0 Only VPN traffic i have seen not hw accelerated is authentication higher than SHA-1, not depending on policy or interface based. Could you please elaborate that statement ?