Skip to main content
A
Anonymous_User
Contributor
April 29, 2010
Question

Multiple Quick mode selectors

  • April 29, 2010
  • 4 replies
  • 6807 views
Hi Gentlemen, Do you know if there is a way (GUI, CLI) to put multiple " source addresses" in the quick mode selector ? I need around 20 subnets, is there a syntax to put em all on a single line or, do I have to create a specific phase 2 for each and every subnet that will go thru my VPN ? PS : 0.0.0.0/0 in the quick mode is not an option.

    4 replies

    abelio
    SuperUser
    abelio
    SuperUser
    April 29, 2010
    yes, use CLI 
      config vpn ipsec phase2-{interface}      edit <phase2name>           set src-addr-type {ip|name|range|subnet}      ...      next  end
    with ' name' you could group several nets under a name.
    Maik
    Maik
    New Member
    April 29, 2010
    while this is the way to go, I had issues when adding more than ~12 subnets into the group. The Fortigate accepted to configure more subnet' s, but the clients started to behave abnormal: the number of address to be retrieved in MR5 was 16 networks. this limitation depeneds on fortigate firmware and forticlient but with ~16 they were able to connect, but some sites were unreachable, network was slow etc.... it became stable with the menitoned 12 subnets... Please let me know if you face similar problems.
    A
    Anonymous_UserAuthor
    Contributor
    April 29, 2010
    Thanks abel for the way to do. Running 4.0MR1 on this particular one, around 26 subnets to group on this. So im afraid i' ll face the issues you mention, Maik ? btw im not running any forticlient, this is pure LAN to LAN stuff so maybe Maik you get the issue with Forticlient only ?
    Maik
    Maik
    New Member
    April 29, 2010
    thanks to supernetting, I never needed that for site2site setups. -> i never had to verify it with lan2lan setups.. i don' t know the last time i had the problem was on Fortigate running 4.0.3 in case the limit also applies for lan2lan setups, a workaround might be to create multiple Phase2' s with smaller groups: e.g. 3x Phase 2 with 8 subents per group
    A
    Anonymous_UserAuthor
    Contributor
    April 30, 2010
    I am going to use x3 different Phase2, each of them having one group containing 9 networks. All under the same Phase1. It' s a bit of a PITA to configure, but I hope I won' t get these perf issues.
    A
    Anonymous_UserAuthor
    Contributor
    June 2, 2010
    Just to let you know that I' ve been facing issues with this setup. (ie some subnets SA were done, while others not, within the same object group). Also, I have been experiencing packet loss for the established SA (6-7 pings passing thru VPN, then nothing for 30 seconds, then working again). After multiple VPN restarts on both ends, the FG started to provide some interesting logs (IIRC " Failed to insert SA : invalid argument" ). I have then re-setup completely my VPN without using groups, but instead, multiple phase 2 (total of 24, one per subnet) under the same phase 1 : now the VPN is working without any issue. So Maik, I had exactly the same problem as yours for a site2site, using 8 subnets/group.
    claumakurumure
    claumakurumure
    New Member
    June 8, 2010
    one question Pls how would you bring up those tunnel one time not clicking one by one?
    rwpatterson
    rwpatterson
    New Member
    June 8, 2010
    I don' t believe you can start the tunnels all at once.
    Terms & ConditionsAccessibility statement