Skip to main content
johnlloyd_13
johnlloyd_13
Explorer III
September 12, 2025
Question

FMG Tunnel Phase 2 Interface Mode

  • September 12, 2025
  • 1 reply
  • 579 views

hi,

i'm moving an IKEv1 config from ASA to FGT.

the crypto ACL or interesting traffic have 3x "inside" source loopback IPs (object "NETWORK_3") and 1x "outside" public IP 46.3.2.1, i'd assume this is the public WAN IP of the remote device/FW.

 

access-list CMAP_ACL extended permit ip object-group NETWORK_3 host 46.3.2.1  <<< CRYPTO ACL/INTERESTING TRAFFIC

 

crypto map CMAP match address CMAP_ACL
crypto map CMAP set peer 46.3.2.1  <<<
crypto map CMAP set ikev1 transform-set TSET123

 

my questions are:

1.do i configure in FMG phase 2 tunnel quick mode selector local and remote subnets as 0.0.0.0/0 and then configure the 3x "inside" loopback IPs and 1x "outside" public IP in the VPN FW policy in/out rule?

 

image.png

 

image.png

 

2.do i  still need to configure a host route for 46.3.2.1 to hop via virtual/phase 1 tunnel and also its blackhole route?

image.png

 

 

1 reply

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
September 12, 2025

I'm guessing you used "include" to search access-list in the config so didn't see the next line.
As described in Cisco's doc below:
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios/218432-configure-a-site-to-site-ipsec-ikev1-tun.html
, the access-list statement would have remote-network object specified "inside" of the acces-list clause.

object-group network local-network
 network-object 10.10.10.0 255.255.255.0
object-group network remote-network
 network-object 10.20.10.0 255.255.255.0

access-list asa-router-vpn extended permit ip object-group local-network 
 object-group remote-network

I would get the other side of configuration from whoever owns/manages the other end to make sure.

I'm not sure about your 2nd question. There needs to be a route, regularly a default route, for the peer IP toward the outgoing interface. But otherwise, nothing else additionally need to be configured for the peer IP routing-wise. It shows only in phase1-interface config as "remote-gw" IP in IKEv1 static IPsec.

Toshi

    johnlloyd_13
    johnlloyd_13Author
    Explorer III
    September 13, 2025

    hi toshi,

    thanks for your feedback!

    for question 1, i'm referring to this kind of setup. refer link below wherein fortinet TAC recommends setting phase 2 local and remote subnets to 0.0.0.0/0 and just configure the "interesting traffic" or subnets for the VPN FW policy. is this a "good standard" practice?

    https://www.reddit.com/r/fortinet/comments/zmq6o0/fortigate_support_recommended_specifying_0000_in/

     

    i'd also like to expound question #2 regarding the "interesting" traffic or crypto ACL. the "remote-network" object is a public IP. it's a customer own device so i assume and most likely the case that 46.3.2.1 is their device WAN IP.

    object-group network remote-network
     network-object 46.3.2.1 255.255.255.255

    the FGT has a static default route to ISP. i only worry about the static routes i need to configure for ipsec/protected traffic since peer IP 46.3.2.1 "needs" to route via the internet for IKE to be established.

     

    edit 1
     set dst 0.0.0.0 0.0.0.0 <<< DEFAULT ROUTE TO INTERNET
     set gateway 12.3.4.5 <<< ISP GW
     set device "port1" <<< WAN

    edit 2
     set dst 46.3.2.1 255.255.255.255  <<<  IKE INTERESTING/PROTECTED TRAFFIC
     set device "tunnel-to-remote"
     set distance 10

     

    edit 3
     set dst 46.3.2.1 255.255.255.255  <<<  IKE INTERESTING/PROTECTED TRAFFIC
     set blackhole enable
     set distance 250

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    September 13, 2025

    As described in Cisco doc, the "remote-network" is remote location's LAN subnets. Not the peer IP(public IP) to establish the tunnel with. You should get the remote side phase2 config from the customer, which we regularly do when we need to set up IPsec with a 3rd party device. Everybody would understand the necessity.

    Toshi

    Terms & ConditionsAccessibility statement