Technical Tip: How to add a subnet to an existing IPsec custom tunnel

Nishtha_Baria · ‎06-08-2023

Description

This article describes how to add a subnet on the local or remote side or both. To do that, it is necessary to make changes in the phase2 of the existing custom tunnel.

Scope

FortiGate.

Solution

To add a new subnet in the phase2 selector of a custom tunnel there are 2 approaches:

If the phase2 selector is specified as a named address, a group of addresses adds a new subnet to the existing group if a separate/another phase 2 selector is not wished.
Add a new phase 2 selector.

Follow the steps below for both methods:

Adding a subnet to an existing group:

If the tunnel looks like the following, do not create a separate phase2 selector:

In the image below, it is possible to see how the address group looks with the existing settings.

The 'VPNCustomLocal' and 'VPNCustomremote' are the address groups used in this example VPN tunnel:

It is possible to add the new subnet address to the existing group, either remote or local, and select OK. If the static route and firewall policy also has the same group, it will be updated. Enable 'static route configuration' on the address and address group objects to select the 'VpnCustomlocal' address group in the static route.

Add a new phase 2 selector:

To add a new phase 2 selector, go to VPN -> IPsec Tunnel and select to edit the tunnel.

On Phase 2 Selectors, locate the Add button as shown in the screenshot below, and add the new subnet as the selector, then select OK to save the new settings:

Related article:

Technical Tip: Static routes with address objects or groups