Description
This article describes the multiple options to configure phase2 selectors on VPN IPsec.
Scope
FortiOS v7.0, v7.2, and v7.4.
Solution
- During Phase 2 selectors, there will be the next option to configure the source and destinations.
Below is the way to configure each of these options:
- Subnet: Allow to configure a subnet, which can be a default subnet or a specific subnet.
- IP Range: Allow to configure a range of IP addresses in case it is desired to allow a specific host to send traffic over VPN IPsec that is on the same LAN.
- IP Address: Allow to configure a specific IP address.
- Named Address: Allow to set the next address objects:
Subnet.
IP Range.
Address Group.
Note: It is important to mention that FQDN is supported on the Address group, however, VPN IPsec does not support FQDN objects as named addresses. Therefore, if adding an FQDN object to the Address Group, the address group will not be available on the phase2 selector as below:
- If the address group consists of both subnets and FQDNs, this group object also will not be available in the phase 2 selector to configure.
See the example below:
There are 2 address groups created: VPN Group subnet (consists of only subnets) and VPN Group with name address (consists of both subnets and FQDN).
See the Phase 2 selector below, in which it is populating the address group that does not have the FQDN called:
It is not possible to use an FQDN for Phase 2 during tunnel construction. However, FQDN address groups can be added to the existing address group after Phase 2 has been created.
The phase2 will be deleted when the device is upgraded or rebooted because the firewall does not permit generating with a FQDN address object.
