Description
This article explains the differences between IKE v1.0 and v2.0 when named-based selectors are used in FortiOS.
Scope
All FortiOS versions.
Solution
FortiOS and IKE v1.0.
Named-based selectors are valid for FortiGate to FortiGate IPSec configurations. Named quick mode selectors were added to FortiOS v3.0 to allow upgrades from FortiOS v2.8. Named-based selectors are not compatible with 3rd Party IKE gateways
Named selectors are not RFC compliant with IKEv1. This feature implemented in FortiOS v2.8 helps users to upgrade to FortiOS v3.0 without having to manually change a configuration
Fortinet recommends when a user upgrades to FortiOS v3.0, it is preferable to move a configuration away from named selectors, and towards RFC compliant configurations
Named-based selector configurations are used in the following scenario:
FortiGate>FortiClient
-
"Pushing" multiple networks to a FortiClient whereby FortiClient retrieves it's configuration via VPD
-
Name-based selectors are required as a "src-name" in the FortiGate phase2 configuration for this setup to work
When 3rd party vendors are used in a deployment then Fortinet recommends using at least FortiOS v4.1 and IKE mode-cfg for "pushing" in a VPN Policy deployment scenario.
FortiOS and IKE v2.0.
Named based selectors are compliant with the RFC and are used in an IKE 3rd party scenario:
