This article describes the difference between the number of supported client-to-gateway IPSEC VPN tunnels and gateway-to-gateway IPSEC VPN tunnels specified in the FortiGate datasheet.
Scope
FortiGate.
Solution
For every FortiGate on top of the IPSEC VPN throughput, maximum values of supported client-to-gateway (also referred to as remote access) IPSEC VPN tunnels and gateway-to-gateway (also referred to as site-to-site) IPSEC VPN tunnels are published in the datasheet.
IPSEC throughput specified can be used for creating gateway-to-gateway (site-to-site) or client-to-gateway (remote access) IPSEC VPN tunnels or the combination of both up to the maximum throughput and tunnel quantities specified.
These numbers are often different based on the example shown below:
The question that is often get is why are those two numbers different.
The answer lays in the way these two IPSEC VPN tunnel modes are configured. The number of gateway-to-gateway (site-to-site) IPSEC VPN tunnels is capped by the number of phase1 configurations one can create for various FortiGates.
For phase1 interface quantity, there is a table size limit for every FortiGate (‘config vpn ipsec phase1’ for policy-based configs, or the max number of logical interfaces allowed for route-based configs).
The number of client-to-gateway (remote access) IPSEC VPN tunnels could potentially be a single phase1-interface configuration (no table size limit reached) + multiple clients, up to the hardware limitations of each FortiGate device like CPU, RAM, etc.