Skip to main content
Geoffrey
Geoffrey
New Member
February 2, 2017
Question

Problem adding a phase 2 Selector

  • February 2, 2017
  • 3 replies
  • 28597 views

Hey guys,

 

I have an up and running site-to-site vpn between two fortigates.

This is the ip config:

Location 1: 10.1.20.0/24 -> 10.2.20.0/24

Location 2: 10.2.10.0/24 -> 10.1.20.0/24

 

This seems to be working well we can ping clients on both locations.

 

Now we want to add our server networks, i added a phase 2 selector like this:

Location 1: 10.1.10.0/24 -> 10.2.10.0/24

Location 2: 10.2.10.0/24 -> 10.1.10.0/24

 

I have added the static routes and firewall policies on both FG's, but we cannot ping any server on both locations.

Are we forgetting something? I checked the manual about vpn but i cannot for the life of me find what could be wrong.

 

Any vpn guru that can point me in the direction that i have to look in to?

 

Thx in advance!

 

3 replies

moby
moby
New Member
February 2, 2017

Hi Geoffrey,

 

Maybe there is something wrong with the selectors - -why don't you try and just configure 0.0.0.0/0.0.0.0 as the phase 2 selectors on both fortigates.

 

Moby

Alby23
Alby23
New Member
February 2, 2017

Are the SAs related to the second phase2 up?

Geoffrey
GeoffreyAuthor
New Member
February 2, 2017

Hi all,

 

Thanks for the answers :)

 

I tried putting in 0.0.0.0/0.0.0.0 on both FG's and then everything works, but is this the good way to go?

 

@Alby23: How can i check if the SAs on the second phase are up? Is this in here Monitor -> IPsec Monitor?

 

Thanks!

MikePruett
MikePruett
New Member
February 2, 2017

Geoffrey,

 

It works but is considered a lazy and insecure way of doing things. Reason being, now any traffic can flow over that tunnel whereas with specific Phase2's it limits it to the interesting traffic mentioned there.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 2, 2017

Check routing table on both sides if they have routes toward the tunnel for the subnets on the opposite side. We use 0/0<->0/0 for phase2 as long as it's main mode and restrict subnets by policies. If routes are there the policies must be restricting.

MikePruett
MikePruett
New Member
February 2, 2017

If he can ping the traffic knows where to go. Validation that proper policy is in place (with UTM that isn't killing the traffic you want) needs to be the next step IMO

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 2, 2017

I just wanted to make sure it's 100% not routing issue, which isn't so difficult to confirm. "get router info routing-t all" in cli. You're most likely correct about the cause.

Terms & ConditionsAccessibility statement