IKE/IPsec Extended Sequence Number (ESN) support (255144)

This feature implements negotiation of 64-bit Extended Sequence numbers as described in RFC 4303, RFC 4304 as an addition to IKEv1, and RFC 5996 for IKEv2.


Updates and enhancements to the IPsec VPN wizard (222339 290377 287021 289251)

The IPsec VPN wizard has been simplified to more clearly identify tunnel template types, remote device types, and NAT configuration requirements. Example topological diagrams are now also included.

New Dialup – FortiGate and Dialup – Windows (Native L2TP/IPsec) tunnel template options.


Cisco compatible keep-alive support for GRE (261595)

The FortiGate can now send a GRE keep-alive response to a Cisco device to detect a GRE tunnel. If it fails, it will remove any routes over the GRE interface.



config system gre-tunnel edit <id>

set keepalive-interval <value: 0-32767>

set keepalive-failtimes <value: 1-255>

next end


Repeated Authentication in Internet Key Exchange (IKEv2) Protocol (282025)

This feature provides the option to control whether a device requires its peer to re-authenticate or whether re-key is sufficient. It does not influence the re-authentication or re-key behavior of the device itself, which is controlled by the peer (with the default being to re-key).

This solution is in response to RFC 4478. As described by the IETF, “the purpose of this is to limit the time that security associations (SAs) can be used by a third party who has gained control of the IPsec peer”.



config vpn ipsec phase1-interface edit p1

set reauth [enable | disable]

next end


Improvements to IPsec VPN in ADVPN hub-and-spoke (275322)

IPsec VPN traffic is now allowed through a tunnel between an ADVPN hub-and-spoke config vpn ipsec phase1-interface edit “int-fgtb”

set auto-discovery-sender [enable | disable] set auto-discovery-receiver [enable | disable] set auto-discovery-forwarder [enable | disable]

… next


config vpn ipsec phase2-interface edit “int-fgtb”

set auto-discovery-sender phase1 [enable | disable]

… next




ADVPN support for NAT device (299798)

The ADVPN feature has been extended so that it allows ADVPN shortcuts to be negotiated as long as one of the devices is not behind NAT.

The on-the-wire format of the ADVPN messages was changed so that they use TLV encoding. Since the on-the- wire format has changed this is not compatible with any previous ADVPN builds.



AESGCM support (281822)

AES-GCM (128 | 256) AEAD has been added, as specified in RFC 4106:

config vpn ipsec phase1-interface edit “tofgta”

set suite-b disable | suite-b-gcm-128 | suite-b-gcm-256

… next


config vpn ipsec phase2-interface

edit “tofgta”

set phase1name “tofgta”

set proposal aes128gcm aes256gcm

… next


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos