Fortinet black logo

Handbook

Using IPsec VPNs in transparent mode

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:604936
Download PDF

Using IPsec VPNs in transparent mode

In transparent mode, IPsec VPN is supported in Policy-based configuration mode only.

IPsec VPN in transparent mode can be used in those scenarios:

  • Encrypt data over routed networks without changing anything on the routers. See example 1.
  • Encrypt data over a non-routed transport network (extension of a LAN for example). See example 2.

The following rules apply to IPsec in transparent mode:

  • If both remote FortiGate IPsec gateways are not in the same broadcast domain (separated by routers):
  • The hosts on each side must be on different subnets.
  • The FortiGate management IP addresses must be in the same subnet as the local hosts. This is the preferred option.
  • If both remote FortiGate IPsec gateways are in the same broadcast domain (separated by optical switches for examples), the hosts on each side can be :
  • On the same subnet
  • On different subnet if the appropriate static route is configured on the remote FortiGate
  • The FortiGate management IP addresses can be in any different subnet than the local hosts
  • A firewall Policy with the action IPsec is used to send traffic to the remote device into the tunnel. Therefore, it is important to place all remote devices on the appropriate ports of the FortiGate to allow a proper match < source interface + destination interface > . See section transparent mode Firewall processing for more details.
This scenario requires that the remote hosts located on the remote FortiGate’s protected subnets have their MAC addresses hard coded in FortiGate’s static MAC entry list. If this is not configured then it is expected to see outage in network communications.

Using IPsec VPNs in transparent mode

In transparent mode, IPsec VPN is supported in Policy-based configuration mode only.

IPsec VPN in transparent mode can be used in those scenarios:

  • Encrypt data over routed networks without changing anything on the routers. See example 1.
  • Encrypt data over a non-routed transport network (extension of a LAN for example). See example 2.

The following rules apply to IPsec in transparent mode:

  • If both remote FortiGate IPsec gateways are not in the same broadcast domain (separated by routers):
  • The hosts on each side must be on different subnets.
  • The FortiGate management IP addresses must be in the same subnet as the local hosts. This is the preferred option.
  • If both remote FortiGate IPsec gateways are in the same broadcast domain (separated by optical switches for examples), the hosts on each side can be :
  • On the same subnet
  • On different subnet if the appropriate static route is configured on the remote FortiGate
  • The FortiGate management IP addresses can be in any different subnet than the local hosts
  • A firewall Policy with the action IPsec is used to send traffic to the remote device into the tunnel. Therefore, it is important to place all remote devices on the appropriate ports of the FortiGate to allow a proper match < source interface + destination interface > . See section transparent mode Firewall processing for more details.
This scenario requires that the remote hosts located on the remote FortiGate’s protected subnets have their MAC addresses hard coded in FortiGate’s static MAC entry list. If this is not configured then it is expected to see outage in network communications.