Skip to main content
A
Anonymous_User
Contributor
May 15, 2010
Question

IPSec VPN with other vendors - with groups

  • May 15, 2010
  • 3 replies
  • 3125 views
Hi All... Have created a IPSEC Site to Site VPN tunnel with a Cisco Router as peer. The Source was a /24 segment and destination segments behind the Router individual servers - Range of 3 IPs in one segment, individual IPs and another /24 segment. To acheive this requirement, - Created Group with the Range, IPs and Network Segments behind the Router as a Group. - Created Group with Source segment of /24 in a Group. - Created a Phase 2 in CLI with ' src-addr-type' and ' dst-addr-type' attribute as ' name' and configured the Source and dest address in it. - Both are created as Name as it should be common as per the documentation. The VPN tunnel was UP and was able to see the traffic passing the tunnel - but only to the First member of the Group. Was able to see the IPSEC Monitor status as UP. There was no errors or information messages in the Analyser as well... --- The I had created individual rules for the destination and everything is working fine. But this takes lot of time if there is many source and destinations. Not sure on this behavior. Please update if any one have faced similar issues.

    3 replies

    A
    Anonymous_UserAuthor
    Contributor
    June 30, 2010
    I ran into this --- very strange. I ended up separating each destination network into a different policy AND defining the address group members in a SPECIFIC ORDER that matched the policy order (or maybe the reverse of the policy order). It was an interface VPN on an FG300A with v3.00 MR3 Patch2. I imagine it' s a bug that' s fixed by a later build but I worked around it. My tunnel was with an ASA-5520 and I had compatibility problems with DPD (which I disabled on the FG) and PFS DH2 (DH1 was OK though). I ended up upgrading anyway due to other IKE bugs that caused Phase 2 to regularly renegotiate.
    emnoc
    emnoc
    New Member
    July 1, 2010
    I' ve always created multiple Phase2s and associate these to my Ph1 set and just created static routes for the remote lan/host subnets. Works all of the time, might create more configuration works, but it always work.
    A
    Anonymous_UserAuthor
    Contributor
    July 2, 2010
    emnoc, that sound like a great approach. I' m going to try that on my tunnels. I think the FGT proxy group implementation is buggy and your approach allows you to manage each destination subnet as a separate SA.
    severach
    severach
    New Member
    July 6, 2010
    ORIGINAL: johns99 I think the FGT proxy group implementation is buggy
    With IPSec groups and names it' s possible to FUBAR the internal configuration so bad that only a factory reset will fix it. The only fault of separate phase 2 is that it uses more tunnels against your limit. It may have worked in FortiOS 2.x but reliability disappeared when the options disappeared from the GUI in FortiOS 3.x.
    Terms & ConditionsAccessibility statement