FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aionescu
Staff
Staff
Article Id 196355

Description


This article explains the result of selector narrowing in conjunction with IKE v2.

Reference:
https://datatracker.ietf.org/doc/html/rfc5996

 

Scope

 

FortiGate.

Solution


Unlike IKEv1, IKEv2 allows the responder to choose a subset of the traffic proposed by the initiator. This is called traffic selector narrowing.


For example, we have two peers, ISFW and NGFW-1.
On NGFW-1 we configure the subnets and on the ISFW we use wildcard selectors:

      NGFW-1 # show vpn ipsec phase2-interface
      config vpn ipsec phase2-interface 
           edit "SITE_to_SITE"
              set phase1name "SITE_to_SITE"
              set proposal aes256-sha256
              set src-subnet 172.16.1.0 255.255.255.0
              set dst-subnet 192.168.1.0 255.255.255.0
          next   

     

ISFW # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface

    edit "SITE_to_SITE"
        set phase1name "SITE_to_SITE"
        set proposal aes256-sha256

    next                                                                                  end                                                                                                                                                                                                                                                                                                                      

ISFW # diagnose  vpn tunnel list                                                                                                                                        
list all ipsec tunnel in vd 0                                                                                                                                           
------------------------------------------------------                                                                                                                  
name=SITE_to_SITE ver=2 serial=1 10.1.0.1:0->10.1.0.254:0 dst_mtu=1500                                                                                                  
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1 overlay_id=0                                        
                                                                                                                                                         
proxyid_num=2 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0                                                                                                               
stat: rxp=212 txp=212 rxb=33072 txb=17808                                                                                                                               
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0                                                                                                           
natt: mode=none draft=0 interval=0 remote_port=0                                                                                                                        
proxyid=SITE_to_SITE proto=0 sa=1 ref=3 serial=2 Dynamic proxyid as a result of selector narrowing
  src: 0:192.168.1.0-192.168.1.255:0                                                                                                                                    
  dst: 0:172.16.1.0-172.16.1.255:0                                                                                                                                      
  SA:  ref=3 options=30602 type=00 soft=0 mtu=1438 expire=42622/0B replaywin=2048                                                                                       
       seqno=d5 esn=0 replaywin_lastseq=000000d5 itn=0 qat=0 hash_search_len=1                                                                                          
  life: type=01 bytes=0/0 timeout=42929/43200                                                                                                                           
  dec: spi=7c708557 esp=aes key=32 67e0e0a2b091e4a167926a294bb8cf17258cf3b4cd9818ed3da328eb19f11fe7                                                                     
       ah=sha256 key=32 6cb7e2d7b80e9f6f291966e4437ac0260dca28795d33d75dc9128ac9924fa2d2                                                                                
  enc: spi=cf9d8cf9 esp=aes key=32 232047b7e1cecf590ac0225b4f383a83248f3d4f1f825b2247086def7e075d5a                                                                     
       ah=sha256 key=32 acc5ae0336399e875e1876f91c7296ad28d50b72439689904e2b3c2e761f2c2a                                                                                
  dec:pkts/bytes=212/17808, enc:pkts/bytes=212/33072                                                                                                                    
proxyid=SITE_to_SITE proto=0 sa=0 ref=1 serial=1 Static proxyid from the configuration                                                                                                                      
  src: 0:0.0.0.0/0.0.0.0:0                                                                                                                                              
  dst: 0:0.0.0.0/0.0.0.0:0                                                                                                                                              
run_tally=1                                                                                                                                                            

If the phase2 configuration of the ISFW is changed to match the configuration of the NGFW-1:

 

ISFW # show vpn  ipsec phase2-interface
# config vpn ipsec phase2-interface                                                                                                                                       
    edit "SITE_to_SITE"                                                                                                                                                 
        set phase1name "SITE_to_SITE"                                                                                                                                   
        set proposal aes256-sha256                                                                                                                                      
        set src-subnet 192.168.1.0 255.255.255.0                                                                                                                        
        set dst-subnet 172.16.1.0 255.255.255.0                                                                                                                         
    next                                                                                                                                                                
end                                                                                                                                                                    

There will be no more dynamic proxyid created:

 

ISFW # diagnose  vpn tunnel list 
list all ipsec tunnel in vd 0                                                                                                                                           
------------------------------------------------------                                                                                                                  
name=SITE_to_SITE ver=2 serial=1 10.1.0.1:0->10.1.0.254:0 dst_mtu=1500                                                                                                  
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1 overlay_id=0                                        
                                                                                                                                                                        
proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0                                                                                                               
stat: rxp=379 txp=379 rxb=59124 txb=31836                                                                                                                               
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0                                                                                                           
natt: mode=none draft=0 interval=0 remote_port=0                                                                                                                        
proxyid=SITE_to_SITE proto=0 sa=1 ref=3 serial=3                                                                                                                        
  src: 0:192.168.1.0/255.255.255.0:0                                                                                                                                    
  dst: 0:172.16.1.0/255.255.255.0:0                                                                                                                                     
  SA:  ref=3 options=30202 type=00 soft=0 mtu=1438 expire=42902/0B replaywin=2048                                                                                       
       seqno=2 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1                                                                                           
  life: type=01 bytes=0/0 timeout=42903/43200                                                                                                                           
  dec: spi=7c708558 esp=aes key=32 bcb32bca9ae50ed5198929a0cb0701969b38778b969f16cfda88e415a9e2d5d2                                                                     
       ah=sha256 key=32 acf95e65e34a4303eba23280897b971ffcc4d32bd0950a49b50a52e8e425a1c6                                                                                
  enc: spi=cf9d8cfa esp=aes key=32 e3ab9aa28414ff705478695d32f20dd9bd189c4e86bb373fd5096d18fb8cfa75                                                                     
       ah=sha256 key=32 a5988db530312fd916b442c58678eff46ed253eef8aa8fa0a346cd6f977cc0d8                                                                                
  dec:pkts/bytes=1/84, enc:pkts/bytes=1/156                                                                                                                             
run_tally=1               

 

Related articles:   

Technical Tip: Explanation of the IKEv2 Phase2 Setting 'initiator-ts-narrow' 

Technical Tip : Dynamic creation of IPsec tunnels (IKEv1 dynamic selector configuration)