Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff

Created on ‎11-22-2025 06:17 AM

Article Id 419647

Technical Tip: FortiGate IKEv2 sending multiple phase2 selectors although single phase2 selector is configured

Description This article describes that FortiGate sends multiple phase2 selectors when traffic is initiated from FortiGate, although a single phase2 selector is configured.
Scope

FortiGate.
Solution

Consider phase2 selector configured on FortiGate as follows:

 

config vpn ipsec phase2-interface

    edit <phase2_name>

        set phase1name <phase1_name>

        set proposal aes256-sha256

    next

end

 

alif_0-1763554095560.png

 

When traffic is initiated from FortiGate, FortiGate sends multiple phase2 selectors, which can be observed in IKE debugs.

There are two proposals sent by FortiGate: one for the interesting traffic (source IP: 192.168.10.10 / destination IP: 192.168.20.20) and the second for the phase2 configured as 0.0.0.0/0.

 

ike V=FW-LAB:1:to_LabTest_Vdom:0:7: peer proposal:

ike V=FW-LAB:1:to_LabTest_Vdom:0:7: TSi_0 0:192.168.10.10-192.168.10.10:0

ike V=FW-LAB:1:to_LabTest_Vdom:0:7: TSi_1 0:0.0.0.0-255.255.255.255:0

ike V=FW-LAB:1:to_LabTest_Vdom:0:7: TSr_0 0: 192.168.20.20-192.168.20.20:0

ike V=FW-LAB:1:to_LabTest_Vdom:0:7: TSr_1 0:0.0.0.0-255.255.255.255:0

ike V=FW-LAB:1:to_LabTest_Vdom:0:P2_to_LabTest_Vdom:7: comparing selectors

ike V=FW-LAB:1:to_LabTest_Vdom:0:P2_to_LabTest_Vdom:7: matched by rfc-rule-2

ike V=FW-LAB:1:to_LabTest_Vdom:0:P2_to_LabTest_Vdom:7: phase2 matched by subset

ike V=FW-LAB:1:to_LabTest_Vdom:0:7: local narrowing exactly matches static selector <----- Comparing phase2 selectors and selected 0.0.0.0/0 as it matched at both ends.

ike V=FW-LAB:1:to_LabTest_Vdom:0:P2_to_LabTest_Vdom:7: accepted proposal:

ike V=FW-LAB:1:to_LabTest_Vdom:0:P2_to_LabTest_Vdom:7: TSi_0 0:0.0.0.0-255.255.255.255:0

ike V=FW-LAB:1:to_LabTest_Vdom:0:P2_to_LabTest_Vdom:7: TSr_0 0:0.0.0.0-255.255.255.255:0

 

Refer to RFC 7296 section 2.9, which states:

 

   To enable the responder to choose the appropriate range in this case,

   if the initiator has requested the SA due to a data packet, the

   initiator SHOULD include as the first Traffic Selector in each of TSi

   and TSr a very specific Traffic Selector including the addresses in

   the packet triggering the request.  In the example, the initiator

   would include in TSi two Traffic Selectors: the first containing the

   address range (198.51.100.43 - 198.51.100.43) and the source port and

   IP protocol from the packet and the second containing (198.51.100.0 -

   198.51.100.255) with all ports and IP protocols.  The initiator would

   similarly include two Traffic Selectors in TSr.  If the initiator

   creates the Child SA pair not in response to an arriving packet, but

   rather, say, upon startup, then there may be no specific addresses

   the initiator prefers for the initial tunnel over any other.  In that

   case, the first values in TSi and TSr can be ranges rather than

   specific values.

 

Fortinet is RFC 7296 compliant. Hence, this is expected behavior to trigger two traffic selectors.
Labels:
72
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.