Skip to main content
Deftone
Deftone
New Member
September 3, 2020
Question

Phase2 selectors

  • September 3, 2020
  • 1 reply
  • 7639 views

HI,

 

Just a quick question..

 

When will you use phase 2 selectors like 0.0.0.0 -> 0.0.0.0 and when wil you specify the local and remote subnet?

Is there a rule for that? Which one is preffered while building en IPSec?

 

Or is 0.0.0.0 0.0.0.0 used only while building IPSec between Fortigates?

 

Just crossing my mind...

 

 

    1 reply

    emnoc
    emnoc
    New Member
    September 3, 2020

    It really matters  when you use it, but both side needs to be configured the same.

     

     thoughts 

     

    1> when you use 0.0.0/0:0  ( aka quad 0s ) you loose the ability to get per src/dst SA flows details

     

    2> many  host of firewall support quad 0s, fortigate, juniper, chkp, strongswan, forcepoint, etc.......

     

    3> why you might do quad0s over specific src/dst subnet-pair,  Is due to the remote-side only supports quad0s ( ie like a cloud-provider ) or if you want to run a dynamic-routing protocol and will send various different networks across the tunnel

     

    4> if you only want one ipsec-SA for monitoring purposes vrs trying to monitor up/down over X amount if vpn-tunnels

     

    5> or if you want simpler configuration overall 

     

    Ken Felix

     

    Deftone
    DeftoneAuthor
    New Member
    September 3, 2020

    Ok thanks for the reply... So even if I choose for the simpler configuration and use quad 0s on my Fortigate the other side must also support it and use it inside their P2.. Am I correct?

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    September 3, 2020

    Yes, as Ken stated at the beginning. Both sides need to have the same selector sets. 0/0<->0/0 is not an exception.

    Terms & ConditionsAccessibility statement