Using Groups in VPN Tunnels

Question

Has anyone ever had any success using Groups in their Phase2 Selectors when connecting to Third Party Gateways? It seems to me that when you use groups it just creates a single Phase2 Tunnel. So, in doing a tunnel with an ASA I did it as a group and seemed it would intermittently work and then not work. When I looked at the tunnel list in the CLI it only shows a single Phase2 tunnel. In this case it was only a single subnet on my side and then 3 on the other. So, I created 3 Phase2 selectors and all is good.

In another case, connecting with a Checkpoint there were 19 destinations so 19 Phase2 selectors were needed...What really gets messed up is when there are multiples on each side so if I had 2 on my end for the Checkpoint example I would end up needing to create 38 Phase2 selectors.

Has anyone gotten it to work any differently? Is there some CLI parameter that would make it generate multiple Phase2 tunnels off a single selector using groups? I end up just doing a copy/paste to create all the selectors so it isn't terrible but it does suck when I end up needing to make some small change in Phase2 and have to modify each and every selector.

Thanks

Mike

emnoc · Answer

You logic make sense and you finding are the same as mine. It becomes a issue with multiples and src/dst-names does not seem to work as good as src/dst-subnets. What you could do is to use a summarize subnet and place the routes for the vpn if you have networks spaces that contigious

Route-Based vpn to other fortigate, juniper, forcepoint, paloalto, with quad Zeros { 0.0.0.0/0 } make this all easier and simplified the phase2 tunnel configuration but without individual IPSEC-SA for the layer3 traffic that crosses the vpn.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded