Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nikolaj
New Contributor

VPN tunnel and interface mode

Hi everybody,

The VPN section is divided in to two groups: tunnel mode and interface mode.

Which is the difference between to the two?

Thank you.

1 Solution
rwpatterson
Valued Contributor III

From a remote end, there will be no difference in how the IPSec tunnel is presented. From the Fortigate end, there is a world of difference. Early in the Fortigate firmware releases, the tunnel mode was the default. It was easy to set up and the routing was handled behind the scenes by the Fortigate itself. There was a major limitation though: you could only route traffic to the subnet directly behind the remote unit. If there was a subnet outside of the remote unit's direct access, it would be unreachable.

 

With interface mode IPSec tunnels, the definition is a physical interface that can be treated like any local Fortigate interface. You can now create a static route to that interface for networks beyond the remote device's reach. Using NAT on an interface based IPSec tunnel is more straightforward as well. This is now the default configuration when creating tunnels. The older route based (type=ENCRYPT in the policies) is now considered legacy and is more or less not being used. It does still work and can be used, but I would suggest against it, mostly for debug purposes.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
4 REPLIES 4
rwpatterson
Valued Contributor III

From a remote end, there will be no difference in how the IPSec tunnel is presented. From the Fortigate end, there is a world of difference. Early in the Fortigate firmware releases, the tunnel mode was the default. It was easy to set up and the routing was handled behind the scenes by the Fortigate itself. There was a major limitation though: you could only route traffic to the subnet directly behind the remote unit. If there was a subnet outside of the remote unit's direct access, it would be unreachable.

 

With interface mode IPSec tunnels, the definition is a physical interface that can be treated like any local Fortigate interface. You can now create a static route to that interface for networks beyond the remote device's reach. Using NAT on an interface based IPSec tunnel is more straightforward as well. This is now the default configuration when creating tunnels. The older route based (type=ENCRYPT in the policies) is now considered legacy and is more or less not being used. It does still work and can be used, but I would suggest against it, mostly for debug purposes.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ede_pfau

One of the rare cases where policy-mode VPN has to be used is if the FGT is running in Transparent Mode (not Routing/NAT).

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
nikolaj

So policy-based and tunnel mode are the same thing?

The FGT of my company is not running in transparent mode (it has a public interface) but anyway it uses policy-mode VPN.

 

nikolaj

Can you explain me this?

"Using NAT on an interface based IPSec tunnel is more straightforward as well"

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors