Ipsec

Forum|Forum|7 years ago
April 28, 2019
1 reply
3609 views

Hi,

HQ

Local subnet 0.0.0.0/0

Remote Subnet 0.0.0.0/0

Branch

Local subnet 10.0.2.0/24

Remote Subnet 10.0.3.0/24

Can I choose the above configuration for ipsec site-to site vpn , Does it work ?

What Will happen If I choose locan and remote subnet is 0.0.0.0 in HQ

Thanks

ede_pfau

SuperUser

'0.0.0.0/0' is the notation for a wildcard address in FortiOS.

For a site-to-site tunnel I would always put in the explicit network(s) in the phase2 QM selectors. They are part of the negotiations. I would assume that the tunnel will not get up successfully as you offer explicit networks from one side and wildcards from the HQ side.

Besides, you will have to know the networks in advance anyway, to establish the routing.

This would be different if both sides had the wildcard addresses.

In fact this will be used when building a dial-in tunnel, as you would not know the remote subnet addresses in advance.

emnoc

New Member

Either are okay, but like Ede I place explicit local/remote ( src/dst-subnets ). I do this so I can get "statistics" per-each network, where as a single 0.0.0.0/0 will not provide you any details if a network over the vpn is or is not working if you have multiples.

Remember in route-based vpn the routing is what place traffic over the vpn interface.

Ken Felix

simsAuthor

Explorer II

Hi ken

emnoc wrote:
Either are okay, but like Ede I place explicit local/remote ( src/dst-subnets ). I do this so I can get "statistics" per-each network, where as a single 0.0.0.0/0 will not provide you any details if a network over the vpn is or is not working if you have multiples.

Remember in route-based vpn the routing is what place traffic over the vpn interface.

can you elaborate the statement "Remember in route-based vpn the routing is what place traffic over the vpn interface."

Thanks

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded