Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IrbkOrrum
Contributor

Created on ‎02-27-2025 06:03 AM Edited on ‎02-27-2025 06:24 AM

"Custom" tunnel vs "Site to Site - FortiGate"

Many moons ago, when I was first learning FortiGate firewalls, I was taught to use the VPN IPsec Wizard to create the initial VPN but then convert the tunnel from a "Site to Site - FortiGate" tunnel to a "Custom Tunnel".  At the time I wasn't doing many VPN connections to other FortiGates, so that is always the way I've built a tunnel.  

Now, I'm doing more FortiGate to FortiGate VPN connections and I'm wondering if the "Site to Site - FortiGate" tunnel template is "better" for FortiGate to FortiGate connections?  It seems like using the "Site to Site - FortiGate" on each side reduces the chances of misconfiguration but perhaps it's also a security concern?  Either works for me, I'm just curious if one or the other is considered "better" or if it's just sort of "dealers choice".

TIA!

*****EDIT*****

There seems to be some misunderstanding with what my question is.  Let me try and clarify.  
When creating a FortiGate to FortiGate VPN using the IPsec Wizard, is it "better" to
1. Leave the tunnel as the default "Site to Site - FortiGate" tunnel template
2. Convert the tunnel to a "custom tunnel"
3. Personal choice

Labels:
176
0 Kudos
3 REPLIES 3
dbhavsar
Staff
Staff

Created on ‎02-27-2025 06:13 AM

Good day @IrbkOrrum ,

 

- If the tunnel is between 2 FortiGates it's fine to use wizard that will create policy, routes and will add default ENC and AUTH protocols. But if you are configuring tunnel to 3rd party firewall you might need to modify ENC and AUTH protocols and that is when you can create tunnel manually or can convert wizard tunnel to custom tunnel.

DNB
166
0 Kudos
IrbkOrrum
Contributor
In response to dbhavsar

Created on ‎02-27-2025 06:18 AM

Yea, I understand that you likely need to convert it to a custom tunnel if you're not connecting to another fortigate.  The question is for FortGate to FortiGate connections, is it "better" to leave the tunnel a "Site to Site - FortiGate" tunnel, converting it to a "custom tunnel", or personal choice.

157
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎02-27-2025 06:20 AM

When you want it quick and easy you better use the wizard/template. It automatically uses the recommended algorithms for auth and encryption, creates objects for you and so.

But when you master the process or need customization then you prefer the custom config.

AEK
AEK
154
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.