Description
This article explains the result of selector narrowing in conjunction with IKE v2.
Reference:
https://datatracker.ietf.org/doc/html/rfc5996
Scope
FortiGate.
Solution
Unlike IKEv1, IKEv2 allows the responder to choose a subset of the traffic proposed by the initiator. This is called traffic selector narrowing.
For example, we have two peers, ISFW and NGFW-1.
On NGFW-1 we configure the subnets and on the ISFW we use wildcard selectors:
NGFW-1 # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "SITE_to_SITE"
set phase1name "SITE_to_SITE"
set proposal aes256-sha256
set src-subnet 172.16.1.0 255.255.255.0
set dst-subnet 192.168.1.0 255.255.255.0
next
ISFW # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "SITE_to_SITE"
set phase1name "SITE_to_SITE"
set proposal aes256-sha256
next end
ISFW # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=SITE_to_SITE ver=2 serial=1 10.1.0.1:0->10.1.0.254:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=2 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0
stat: rxp=212 txp=212 rxb=33072 txb=17808
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=SITE_to_SITE proto=0 sa=1 ref=3 serial=2 Dynamic proxyid as a result of selector narrowing
src: 0:192.168.1.0-192.168.1.255:0
dst: 0:172.16.1.0-172.16.1.255:0
SA: ref=3 options=30602 type=00 soft=0 mtu=1438 expire=42622/0B replaywin=2048
seqno=d5 esn=0 replaywin_lastseq=000000d5 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42929/43200
dec: spi=7c708557 esp=aes key=32 67e0e0a2b091e4a167926a294bb8cf17258cf3b4cd9818ed3da328eb19f11fe7
ah=sha256 key=32 6cb7e2d7b80e9f6f291966e4437ac0260dca28795d33d75dc9128ac9924fa2d2
enc: spi=cf9d8cf9 esp=aes key=32 232047b7e1cecf590ac0225b4f383a83248f3d4f1f825b2247086def7e075d5a
ah=sha256 key=32 acc5ae0336399e875e1876f91c7296ad28d50b72439689904e2b3c2e761f2c2a
dec:pkts/bytes=212/17808, enc:pkts/bytes=212/33072
proxyid=SITE_to_SITE proto=0 sa=0 ref=1 serial=1 Static proxyid from the configuration
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
run_tally=1
If the phase2 configuration of the ISFW is changed to match the configuration of the NGFW-1:
ISFW # show vpn ipsec phase2-interface
# config vpn ipsec phase2-interface
edit "SITE_to_SITE"
set phase1name "SITE_to_SITE"
set proposal aes256-sha256
set src-subnet 192.168.1.0 255.255.255.0
set dst-subnet 172.16.1.0 255.255.255.0
next
end
There will be no more dynamic proxyid created:
ISFW # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=SITE_to_SITE ver=2 serial=1 10.1.0.1:0->10.1.0.254:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0
stat: rxp=379 txp=379 rxb=59124 txb=31836
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=SITE_to_SITE proto=0 sa=1 ref=3 serial=3
src: 0:192.168.1.0/255.255.255.0:0
dst: 0:172.16.1.0/255.255.255.0:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1438 expire=42902/0B replaywin=2048
seqno=2 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=7c708558 esp=aes key=32 bcb32bca9ae50ed5198929a0cb0701969b38778b969f16cfda88e415a9e2d5d2
ah=sha256 key=32 acf95e65e34a4303eba23280897b971ffcc4d32bd0950a49b50a52e8e425a1c6
enc: spi=cf9d8cfa esp=aes key=32 e3ab9aa28414ff705478695d32f20dd9bd189c4e86bb373fd5096d18fb8cfa75
ah=sha256 key=32 a5988db530312fd916b442c58678eff46ed253eef8aa8fa0a346cd6f977cc0d8
dec:pkts/bytes=1/84, enc:pkts/bytes=1/156
run_tally=1
Related articles:
Technical Tip: Explanation of the IKEv2 Phase2 Setting 'initiator-ts-narrow'
Technical Tip : Dynamic creation of IPsec tunnels (IKEv1 dynamic selector configuration)