Chris Jones writes: > I may have been mistaken. I just pulled this information from this document > which Gregory Lebovitz from Netscreen co-authored back in 2003.
No FortiGate model supported GRE in 2003, it wasn't added until 2006. > On page 46 he talks about using GRE to create a virtual routing > interfaces AKA tunnel interface. I have configure route-based VPNs > between a Netscreen and FortiGate which interop just fine, which > leads me to believe that they are using the same approach to tunnel > interfaces. They are using the same approach, it just isn't GRE based. Both FortGate and Netscreen allow you to define a IPsec interface which has the routing benefits described in http://www.isi.edu/div7/presentation_files/dynamic_routing.pdf but which is also compatible with anything that supports tunnel mode IPsec. > I have yet to get this to work between an OpenBSD box and a > FortiGate/Netscreen. I will look into the gif option to see if this will > work. It isn't clear to me why you don't just use tunnel mode IPsec on OpenBSD, it is compatible with both FortiGate and Netscreen. The gif approach is going to be a problem unless you have an IKE daemon that can negotiate tunnel mode (because that's what the FortiGate will expect) but actually use tranport+IPIP as per the RFC draft referenced in the above.
