Skip to main content
CoreyFP
CoreyFP
New Member
January 24, 2018
Question

Question about IPsec's Phase Two Addressing

  • January 24, 2018
  • 1 reply
  • 12186 views

Points to ponder:

1.) I have successfully established a functional IPsec tunnel between a Fortigate 200E and a pfSense virtual machine.

 

2.) I noticed that in Phase 2, if I have the Fortigate's local address set to 0.0.0.0/0 and the pfsense's remote address set to 0.0.0.0/0, I understand that to mean all traffic from the pfsense end of the tunnel will now route through the Fortigate. With this, there's full connectivity and both networks can see each other's devices, no problem. Except the fact my boss doesn't want EVERYTHING coming from pfsense through the Fortigate.

 

3.) Now, if I change the 0.0.0.0 to reflect the Fortigate's LAN subnet on both ends, the pfSense now only routes packets destined for the Fortigate's network through the tunnel and routes all public traffic through it's own WAN interface. This fulfills my boss's wishes! But now the Fortigate has no detection of any devices on the pfSense LAN side. PfSense is the only side that can see through to the remote end of the tunnel.

 

Two Questions:

 

1.) Does anyone know why when Phase Two is set up to point #3's configuration, the Fortigate can now no longer see traffic coming in from the pfSense end of the IPsec tunnel, when it could when it was set up to point #2's standard? I would like to understand this better.

 

2.) Is there a static route or a forwarding rule that will still allow the Fortigate to see everything on the pfSense network even with point #3's setup?

 

 

    1 reply

    CoreyFP
    CoreyFPAuthor
    New Member
    January 31, 2018

    I guess no one knows? All I want to know is the science behind the phase 2 address. What is the science behind using a 0.0.0.0 address versus the specific subnet of device where all the traffic is being routed through it (or some of it). Why Site A and Site B can both see each other if it's 0.0.0.0 and why Site A can see Site B, but Site B can't see Site A when there's a specific subnet. Anyone? Beuller? Beuller?

    emnoc
    emnoc
    New Member
    January 31, 2018

    Pfsense and raccoon should have  set left/right subnets. Do not use 0.0.0:0/0 in your examples you see why.

    Review this post thread

     

    https://forum.fortinet.com/tm.aspx?m=119677

     

    Also double check fwpolicy creation in  pfsense webGUi to ensure you have the correct policies and for the IPsec-action.

     

    Ken

     

    CoreyFP
    CoreyFPAuthor
    New Member
    February 7, 2018

    I had found out the issue with Fortigate support.

     

    The agent had me run "diag sniff packet any 'host x.x.x.x and y.y.y.y (or icmp)' 4" to see what was happening with the packets as they left pfsense and moved through the Fortinet. 

     

    Upon closer inspection, we saw that in the IPv4 Policies NATing was enabled on the IPv4 rules between the tunnels.

     

    Of course, NATing isn't necessary between two private addresses, so, disabling that opened up communication between the two firewalls.

     

    I both love and hate it when it's that simple...

    Terms & ConditionsAccessibility statement