Skip to main content
tanr
tanr
New Member
February 28, 2017
Question

IPSEC VPN Security - Multiple Phase 2's in single Phase 1?

  • February 28, 2017
  • 2 replies
  • 12771 views

I realise I should know this, but VPN is really not my area.

 

Short form of question: What security risks do I run having site-to-site IPSec VPN with multiple phase 2's within a single phase 1, instead of having multiple phase 1's, each containing a single phase 2.

 

Longer form of question:

 

I've got two sites with site-to-site IPSec VPN between them.  Multiple subnets (and vlans) at each site with restrictions on communications between those subnets, both within the sites and between the sites.  

 

For example, a render-farm subnet at each location is connected to the render-farm at the other location over the vpn, with only certain protocols allowed.  These render farms can't initiate a connection outside of their subnets, but connections can be initiated to the render farms from a couple other secure subnets for management, to launch render jobs, etc.  Other subnets include networked security cameras (locked down), internal servers, etc.

 

There are security policies in place for communication between the various subnets, both locally and across the vpn.

 

I feel like I should have the various phase2's separated out into multiple phase1's (or at least separate out things like cameras and guest networks) instead of just having multiple phase2's with a single phase1.  But I'm not sure what I'm putting at risk if I just have a single phase1.

 

Thanks in advance for any suggestions.

    2 replies

    MikePruett
    MikePruett
    New Member
    March 1, 2017

    running multiple phase2's on the same phase1 is fine.

     

    The phase2's just say what traffic the tunnel finds interesting and will allow to traverse. After that, you just use policy to secure the pathway and only allow the source, destinations, and services/applications you wish to flow.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 1, 2017

    Well, with multiple phase1s you obtain more control on the services you allow: each phase1 is one virtual interface, and thus forms an interface-pair group in the policy table. Routing is affected as well.

    If those VLANs or LANs are administratively apart, or if you just want to be able to exert more precise security rules on it then go with multiple phase1s. The downside of course is more effort in setting up and possibly cluttering up the policy table.

     

    IIRC you could have a problem if the sites do not offer multiple public IPs. Remote gateways need to be unique for site-to-site VPNs.

    tanr
    tanrAuthor
    New Member
    March 1, 2017

    I've got a couple extra public IPs at both sites for exactly this sort of thing.

     

    I think I'll put the security cameras at each site into their own P1 as they are the most vulnerable.

     

    Most of the other subnets I feel okay grouping under one P1, perhaps separating out the render-farm subnets.

     

    Two things I'm still not sure about are the FortiAuthenticator and FortiAnalyzer (on separate subnets) at the main site. The FortiGate at the second site needs access to them, which I was planning to provide over IPSec VPN.  This seems like the sort of thing that should have its own P1.  Or am I being overly paranoid here?

     

    Thanks.

    gigi_iaia
    gigi_iaia
    New Member
    June 8, 2017

    Only a question.

    In multiple phase 2 i can use same configuration for all the phase2 or not?

    example

    vpn1-phase2:

    Encryption: AES256-SHA384 D-HG: 15 Key Lifetime: 3600

     

    vpn2-phase2

    Encryption: AES256-SHA384 D-HG: 15 Key Lifetime: 3600

     

    Or i can use different D-HG or Encryption for everyone?

     

    Thanks.

    Terms & ConditionsAccessibility statement