Hi everybody,
The VPN section is divided in to two groups: tunnel mode and interface mode.
Which is the difference between to the two?
Thank you.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
From a remote end, there will be no difference in how the IPSec tunnel is presented. From the Fortigate end, there is a world of difference. Early in the Fortigate firmware releases, the tunnel mode was the default. It was easy to set up and the routing was handled behind the scenes by the Fortigate itself. There was a major limitation though: you could only route traffic to the subnet directly behind the remote unit. If there was a subnet outside of the remote unit's direct access, it would be unreachable.
With interface mode IPSec tunnels, the definition is a physical interface that can be treated like any local Fortigate interface. You can now create a static route to that interface for networks beyond the remote device's reach. Using NAT on an interface based IPSec tunnel is more straightforward as well. This is now the default configuration when creating tunnels. The older route based (type=ENCRYPT in the policies) is now considered legacy and is more or less not being used. It does still work and can be used, but I would suggest against it, mostly for debug purposes.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
From a remote end, there will be no difference in how the IPSec tunnel is presented. From the Fortigate end, there is a world of difference. Early in the Fortigate firmware releases, the tunnel mode was the default. It was easy to set up and the routing was handled behind the scenes by the Fortigate itself. There was a major limitation though: you could only route traffic to the subnet directly behind the remote unit. If there was a subnet outside of the remote unit's direct access, it would be unreachable.
With interface mode IPSec tunnels, the definition is a physical interface that can be treated like any local Fortigate interface. You can now create a static route to that interface for networks beyond the remote device's reach. Using NAT on an interface based IPSec tunnel is more straightforward as well. This is now the default configuration when creating tunnels. The older route based (type=ENCRYPT in the policies) is now considered legacy and is more or less not being used. It does still work and can be used, but I would suggest against it, mostly for debug purposes.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
One of the rare cases where policy-mode VPN has to be used is if the FGT is running in Transparent Mode (not Routing/NAT).
So policy-based and tunnel mode are the same thing?
The FGT of my company is not running in transparent mode (it has a public interface) but anyway it uses policy-mode VPN.
Can you explain me this?
"Using NAT on an interface based IPSec tunnel is more straightforward as well"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.