IKE/IPsec Extended Sequence Number (ESN) support (255144)

This feature implements negotiation of 64-bit Extended Sequence numbers as described in RFC 4303, RFC 4304 as an addition to IKEv1, and RFC 5996 for IKEv2.


Updates and enhancements to the IPsec VPN wizard (222339 290377 287021 289251)

The IPsec VPN wizard has been simplified to more clearly identify tunnel template types, remote device types, and NAT configuration requirements. Example topological diagrams are now also included.

New Dialup – FortiGate and Dialup – Windows (Native L2TP/IPsec) tunnel template options.


Cisco compatible keep-alive support for GRE (261595)

The FortiGate can now send a GRE keep-alive response to a Cisco device to detect a GRE tunnel. If it fails, it will remove any routes over the GRE interface.



config system gre-tunnel edit <id>

set keepalive-interval <value: 0-32767>

set keepalive-failtimes <value: 1-255>

next end


Repeated Authentication in Internet Key Exchange (IKEv2) Protocol (282025)

This feature provides the option to control whether a device requires its peer to re-authenticate or whether re-key is sufficient. It does not influence the re-authentication or re-key behavior of the device itself, which is controlled by the peer (with the default being to re-key).

This solution is in response to RFC 4478. As described by the IETF, “the purpose of this is to limit the time that security associations (SAs) can be used by a third party who has gained control of the IPsec peer”.



config vpn ipsec phase1-interface edit p1

set reauth [enable | disable]

next end


Improvements to IPsec VPN in ADVPN hub-and-spoke (275322)

IPsec VPN traffic is now allowed through a tunnel between an ADVPN hub-and-spoke config vpn ipsec phase1-interface edit “int-fgtb”

set auto-discovery-sender [enable | disable] set auto-discovery-receiver [enable | disable] set auto-discovery-forwarder [enable | disable]

… next


config vpn ipsec phase2-interface edit “int-fgtb”

set auto-discovery-sender phase1 [enable | disable]

… next




ADVPN support for NAT device (299798)

The ADVPN feature has been extended so that it allows ADVPN shortcuts to be negotiated as long as one of the devices is not behind NAT.

The on-the-wire format of the ADVPN messages was changed so that they use TLV encoding. Since the on-the- wire format has changed this is not compatible with any previous ADVPN builds.



AESGCM support (281822)

AES-GCM (128 | 256) AEAD has been added, as specified in RFC 4106:

config vpn ipsec phase1-interface edit “tofgta”

set suite-b disable | suite-b-gcm-128 | suite-b-gcm-256

… next


config vpn ipsec phase2-interface

edit “tofgta”

set phase1name “tofgta”

set proposal aes128gcm aes256gcm

… next


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

7 thoughts on “IPsec VPN

  1. ionel

    I don’t have suite-b enabled. on what models is it available?
    tried on 60D and 200D

    FG200D[S/N] (benchmark) # set suite-b suite-b-gcm-128

    command parse error before ‘suite-b-gcm-128’
    Command fail. Return code -61

    FG200D[S/N] (benchmark) # set suite-b <- "?" KEY PRESSED
    disable Do not use UI suite.


    1. Mike Post author

      It shouldn’t…one of mine has the standard license and the other isn’t licensed at all currently.

      config vpn ipsec phase1-interface
      Set suite-b…..

  2. ionel

    updated to v5.6 and still the same return code -61

    maybe is this particular model not having the hardware for gcm?


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.