IPSec VPN Between Branch Router/Aerohive AP and FortiGate

  • 1
  • Question
  • Updated 1 year ago
  • Answered
  • (Edited)

Because the BRs or HiveAPs can be deployed at the field for branch offices and they can be linked to a CVG in order to stablish an IPSec VPN tunnel, is it possible to have the same configuration but with a FortiGate intead of the CVG?

Waiting for your comments!

Thanks a lot for your help!

Elkin Gonzalez
Photo of Elkin Gonzalez

Elkin Gonzalez

  • 3 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Anupam Upadhyaya

Anupam Upadhyaya

  • 11 Posts
  • 4 Reply Likes
Today the BRs can only establish IPSEC tunnels to CVG
Photo of Juha Lindström

Juha Lindström

  • 8 Posts
  • 0 Reply Likes
Is this something subject to change with HiveOS 6 perhaps?

Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
We recognize that many of our customers already have equipment that is very capable of acting as tunnel terminators and we have intentions to add third-party IPSec VPN support in the future. We cannot comment on specific timing or capabilities at this time.
Photo of Jason Hills

Jason Hills

  • 78 Posts
  • 3 Reply Likes
I think this has answered my question, re 3rd party VPN tunnel support not possible.

I have a request to setup an IPSec VPN between an office which has 3rd party IPSec hardware, to a VPN connection with an AP330.

My query, is it possible for an AP330 to terminate an IPSec VPN with a non-aerohive IPSec hardware?

The office with the IPSec hardware, also does have a hive of AP330s, but since they already have an IPSec VPN in use, it would be easier to use that rather than setting up a new VPN.

thanks all... 
Photo of Amanda


  • 396 Posts
  • 25 Reply Likes
This topic was worthy of it's own conversation. Please reference the new topic here: Is it possible for an AP330 to terminate an IPSec VPN with a non-aerohive IPSec h...
Photo of David R.

David R.

  • 1 Post
  • 1 Reply Like

Hello all,

I did tests with Aerohive IPSec VPN and I saw Aerohive VPN is based on draft-ietf-ipsra-isakmp-xauth-06.txt

I couldn't do a VPN with third pary hardware because phase 1 auth in Aerohive must support mutual auth or hybrid auth: XPSK, XRSASIG or HRSA. If your hardware supports this auth methods maybe you could stablish the VPN.


Photo of Yves Holenstein

Yves Holenstein

  • 1 Post
  • 0 Reply Likes
Has there been any updates on this? It is a killer criteria for us to keep the on-premise FortiGate Security Appliances in our headquarters. I do not yet see the benefit of putting in a separate AeroHive VPN Gateway for many $$$. Meraki can do it...
Photo of Thibault


  • 5 Posts
  • 0 Reply Likes

I'm already trying to configure IPsec (layer 2) beetween an AP230 (client) and a fortigate firewall.
Do you know if this functionnality is know supported by Aerohive ?

Photo of Christian Hilgers

Christian Hilgers

  • 2 Posts
  • 0 Reply Likes
Hi Thibault,

I'm not sure if this is working. I tried the same.
I think Fortigate only supports GRE L3 tunnel.

Do you have a solution?