Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎11-10-2004 12:00 AM Edited on ‎06-09-2022 11:12 PM By Community Manager

Article Id 197368

Technical Tip: How to configure VPN for multiple subnets

Article

Description This article describes how to configure VPN for multiple subnets.
Components

- FortiGate Antivirus Firewalls.

- 3rd party VPN gateway.
Solution

When configuring a site-to-site VPN between a FortiGate and another vendor's VPN gateway, it is necessary to only configure one (1) subnet per Phase 2 tunnel.

 

Although, the FortiGate can associate multiple subnets (aka 'proxy IDs') with a single phase 2 SA, most other vendors do not support this. 

 

Also, some vendors will not support an IP range as a selector/proxyID. 

Be sure to define the firewall address as a subnet not a range.

 

Symptoms.

 

- Only 1 subnet will be able to send traffic across the tunnel.

- The 3rd party VPN gateway may complain about 'invalid/unsupported proxy ID'.

 

Solution

 

To ensure that the FortiGate uses a separate SA for each subsequent subnet:

 

1) Define a separate Phase 2 tunnel for each subnet.

2) In the second encrypt firewall policy, reference the new Phase 2 tunnel.

 

For example:

 

Subnet A & B --- FGT ---------------- VPN GW ----- Subnet C

Subnet A >> Subnet C ENCRYPT -- using Phase 2 tunnel #1

Subnet B >> Subnet C ENCRYPT -- using Phase 2 tunnel #2

 

Example.

 

IPsec VPN between Fortigate and Cisco PiX firewall.

 

- Several subnets (or individual hosts) are hosted behind the PiX and/or FortiGate (eg. 10.0.0.1/32 and 10.0.0.2/32 behind the FortiGate, and 192.168.1.0/24 and 192.168.2.0/24 behind the PiX).

 

- Remote subnets (or hosts) are defined in the Fortigate as an Address Group (192.168.1.0/24 and 192.168.2.0/24).

 

As the PiX firewall creates one SA (security association) per access-list entry and the FortiGate unit creates one SA per phase-2, the FortiGate must have a separate phase-2 entry for each access-list line in the PiX config (see below).

 

access-list ipsec_vpn permit ip 192.168.1.0 255.255.255.0 host 10.0.0.1
access-list ipsec_vpn permit ip 192.168.2.0 255.255.255.0 host 10.0.0.2

 

In this example, the FortiGate will be configured with two Firewall Policies, each one using a unique Phase 2, and each one pointing to the respective remote destination network. 

 

The Address Group with the combined remote networks will not be used.

 

Labels:
44831
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.