Technical Tip: Explanation of the IKEv2 Phase2 Setting 'initiator-ts-narrow'

lvannstruth · ‎07-23-2024

Description

This article explains the function and behavior of the IKEv2 IPsec phase2 setting ‘initiator-ts-narrow’ and an example scenario where it can be used.

Scope

FortiGate v6.4.3 and newer.

Solution

The IPsec phase2-interface setting ‘set initiator-ts-narrow enable’ is useful for scenarios where only one phase2 selector is configured on a FortiGate with multiple source/remote subnets in an address group, and the remote peer has multiple individual phase2 selectors configured.

The IKEv2 standard includes functionality to narrow the traffic selectors as described in the KB article here: Technical Tip: IKE v2 traffic selector narrowing.

This behavior only applies to the IKE responder and not the initiator. In a scenario where the IKE initiator needs to only send a small subset of the configured source/destination selectors at a time, the ‘initiator-ts-narrow’ phase2 setting can be enabled.

Enabling ‘initiator-ts-narrow’ can also resolve issues with phase2 selector negotiation on an IPsec tunnel between a FortiGate and a third-party VPN appliance.

For an example configuration where ‘set initiator-ts-narrow enable’ setting would be useful, consider the following topology and phase2 selector configuration on two different FortiGates:

Topology:

FortiGate-1 phase2 selector configuration:

Local Subnet	Remote Subnet
10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, 10.0.4.0/24, 10.0.5.0/24	10.0.6.0/24, 10.0.7.0/24, 10.0.8.0/24, 10.0.9.0/24, 10.0.10.0/24

FortiGate-2 phase2 selector configuration:

Local Subnet	Remote Subnet
10.0.6.0/24	10.0.1.0/24
10.0.7.0/24	10.0.2.0/24
10.0.8.0/24	10.0.3.0/24
10.0.9.0/24	10.0.4.0/24
10.0.10.0/24	10.0.5.0/24

By default with the ‘initiator-ts-narrow’ option disabled, bringing up the IPsec phase2 selector on FortiGate-1 will result in only one selector negotiating:

This is despite FortiGate-2 receiving the full list of selectors from FortiGate-1, as visible in IKE debugs:

Additionally, pings from a client at 10.0.3.2 to 10.0.8.2 fail, with IKE negotiation only bringing up the selector between 10.0.10.0/24 and 10.0.5.0/24.

pings failing without narrowing ts.png

To remediate this issue, the ‘initiator-ts-narrow’ option can be enabled on the CLI on FortiGate-1 with the following commands:

config vpn ipsec phase2-interface

edit <phase2-selector>
set initiator-ts-narrow enable

end

Note:

This setting needs to be enabled on the FortiGate with the single phase2 selector configured, not the FortiGate with multiple independent phase2 selectors configured.

With the ‘initiator-ts-narrow’ setting enabled, FortiGate-1 will now send the following subnets in the phase2 negotiation when traffic triggers an IPsec tunnel to come online:

The exact pair of IP addresses on the packet triggering the packet. In this topology, that would be 10.0.3.2 pinging to 10.0.8.2.
The first configured pair of subnets in address groups encompassing the IPs triggering the Phase2 configuration. In this example, that would be 10.0.3.0/24 and 10.0.8.0/24.

The reduced number of selectors is visible in the IKE negotiation on FortiGate-2:

narrowed selector working.png

With FortiGate-2 correctly selecting 10.0.3.0/24 & 10.0.8.0/24 as the selectors in use, pings now work successfully:

pings working with narrowing on.png

The ‘set mesh-selector-type subnet’ setting is the equivalent of ‘set initiator-ts-narrow enable’ for IKEv1 IPsec tunnels, and the relevant KB is available here: Technical Tip : Dynamic creation of IPsec tunnels (IKEv1 dynamic selector configuration)