Chapter 11 IPsec VPN for FortiOS 5.0 : Transparent mode VPNs : Configuration overview : Transparent VPN infrastructure requirements
  
Transparent VPN infrastructure requirements
The local FortiGate unit must be operating in transparent mode.
The management IP address of the local FortiGate unit specifies the local VPN gateway. The management IP address is considered a static IP address for the local VPN peer.
If the local FortiGate unit is managed through the Internet, or if the VPN peer connects through the Internet, the edge router must be configured to perform inbound NAT and forward management traffic and/or encrypted packets to the FortiGate unit.
If the remote peer is operating in NAT mode, it must have a static public IP address.
A FortiGate unit operating in transparent mode requires the following basic configuration to operate as a node on the IP network:
The unit must have sufficient routing information to reach the management station.
For any traffic to reach external destinations, a default static route to an edge router that forwards packets to the Internet must be present in the FortiGate routing table.
When all of the destinations are located on the external network, the FortiGate unit may route packets using a single default static route. If the network topology is more complex, one or more static routes in addition to the default static route may be required in the FortiGate routing table.
Only policy-based VPN configurations are possible in transparent mode.