IPsec VPN Phase 2 Selector Subnets Best Practice

Forum|Forum|3 years ago
December 13, 2022
2 replies
36560 views

Hi Firewall Gurus,

I'm looking for best practice for the phase 2 selector subnets in a general case. I understand in some case it requires to use 0.0.0.0/0. I'm talking about in decent network segmentation internal network that connects to outside. Is it better to have broader range of subnet or as specific as possible. For example, if I have a /16 subnets, but I only need to allow one or two /32 IP addresses from the other side of VPN tunnel. Do I create two /32 selectors or one /16? Thank you.

FortiGate

Best answer by Toshi_Esumi

You always need to think about the selectors as a pair like 0.0.0.0/0<->192.168.1.0/24 in case their internet need to go through the other end. It's completely up to you if you want to create two pairs like x.x.x.x/32<->192.168.1.0/24 and y.y.y.y/32<->192.168.1.0/24, or aggregate those two IPs in a super subnet and make only one selector set. But /16 sounds too wide open compared to 2 x /32s.

You can always limit accesses with policies which IPs are reachable or not so I wouldn't make at least not too strict.

In case a routing protocol needs to advertise routes, you have to use 0.0.0.0/0<->0.0.0.0/0, which is the default selector.

Toshi

Toshi_EsumiAnswer

SuperUser

You always need to think about the selectors as a pair like 0.0.0.0/0<->192.168.1.0/24 in case their internet need to go through the other end. It's completely up to you if you want to create two pairs like x.x.x.x/32<->192.168.1.0/24 and y.y.y.y/32<->192.168.1.0/24, or aggregate those two IPs in a super subnet and make only one selector set. But /16 sounds too wide open compared to 2 x /32s.

You can always limit accesses with policies which IPs are reachable or not so I wouldn't make at least not too strict.

In case a routing protocol needs to advertise routes, you have to use 0.0.0.0/0<->0.0.0.0/0, which is the default selector.

Toshi

polarpandaAuthor

Explorer

Thank you for the info. The more selectors we have, the more negotiation we need, e.g. multiple SA. Is that true? phase 2 selectors need to be negotiated one by one. If we have one broader range, and like you said use policy to restrict each access, wouldn't it better?

Toshi_Esumi

SuperUser

Basically independent. Needs to have a matching traffic otherwise they don't come up. It's depending on the definition of "better". More restrict/secure or faster/more flexible. Answer would be different depending on who you ask to.

FredPaul

New Member

Here's my two cents about this...

The only time you'd want to specify the P2 selectors is when using policy-based IPsec VPN on one side or both. For route-based IPsec VPN on both sides leave them at 0.0.0.0/0. Using P2 selectors on route-based IPsec VPN doesn't add anything other than complexity.

If you do have policy-based IPSec VPN on one or both sides, you'd want to consider how you want the routing to be. If you route a big subnet into the tunnel that can potentially create issues further down the line, so you'd want to keep it as small as possible, but also as few P2s as possible. If you have two /32s in the same /24, and routing that into the tunnel won't create any issues, sure, do that. But if you have two /32s far apart (requiring /22, /19, etc) it would probably be better to have two individual P2s. Both sides need to agree on what the selectors should look like, so there isn't really a "best practice" that always applies. Sometimes you end up with a bunch of P2s, other times you can get by with one.

Hope my answer helped!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded