Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: IKE v2 traffic selector narrowing
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article explains the result of selector narrowing in conjunction with IKE v2.
Reference:
https://datatracker.ietf.org/doc/html/rfc5996
Scope
FortiGate.
Solution
Unlike IKEv1, IKEv2 allows the responder to choose a subset of the traffic proposed by the initiator. This is called traffic selector narrowing.
For example, we have two peers, ISFW and NGFW-1.
On NGFW-1 we configure the subnets and on the ISFW we use wildcard selectors:
NGFW-1 # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "SITE_to_SITE"
set phase1name "SITE_to_SITE"
set proposal aes256-sha256
set src-subnet 172.16.1.0 255.255.255.0
set dst-subnet 192.168.1.0 255.255.255.0
next
ISFW # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "SITE_to_SITE"
set phase1name "SITE_to_SITE"
set proposal aes256-sha256
next end
ISFW # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=SITE_to_SITE ver=2 serial=1 10.1.0.1:0->10.1.0.254:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=2 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0
stat: rxp=212 txp=212 rxb=33072 txb=17808
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=SITE_to_SITE proto=0 sa=1 ref=3 serial=2 Dynamic proxyid as a result of selector narrowing
src: 0:192.168.1.0-192.168.1.255:0
dst: 0:172.16.1.0-172.16.1.255:0
SA: ref=3 options=30602 type=00 soft=0 mtu=1438 expire=42622/0B replaywin=2048
seqno=d5 esn=0 replaywin_lastseq=000000d5 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42929/43200
dec: spi=7c708557 esp=aes key=32 67e0e0a2b091e4a167926a294bb8cf17258cf3b4cd9818ed3da328eb19f11fe7
ah=sha256 key=32 6cb7e2d7b80e9f6f291966e4437ac0260dca28795d33d75dc9128ac9924fa2d2
enc: spi=cf9d8cf9 esp=aes key=32 232047b7e1cecf590ac0225b4f383a83248f3d4f1f825b2247086def7e075d5a
ah=sha256 key=32 acc5ae0336399e875e1876f91c7296ad28d50b72439689904e2b3c2e761f2c2a
dec:pkts/bytes=212/17808, enc:pkts/bytes=212/33072
proxyid=SITE_to_SITE proto=0 sa=0 ref=1 serial=1 Static proxyid from the configuration
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
run_tally=1
If the phase2 configuration of the ISFW is changed to match the configuration of the NGFW-1:
ISFW # show vpn ipsec phase2-interface
# config vpn ipsec phase2-interface
edit "SITE_to_SITE"
set phase1name "SITE_to_SITE"
set proposal aes256-sha256
set src-subnet 192.168.1.0 255.255.255.0
set dst-subnet 172.16.1.0 255.255.255.0
next
end
There will be no more dynamic proxyid created:
ISFW # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=SITE_to_SITE ver=2 serial=1 10.1.0.1:0->10.1.0.254:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0
stat: rxp=379 txp=379 rxb=59124 txb=31836
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=SITE_to_SITE proto=0 sa=1 ref=3 serial=3
src: 0:192.168.1.0/255.255.255.0:0
dst: 0:172.16.1.0/255.255.255.0:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1438 expire=42902/0B replaywin=2048
seqno=2 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=7c708558 esp=aes key=32 bcb32bca9ae50ed5198929a0cb0701969b38778b969f16cfda88e415a9e2d5d2
ah=sha256 key=32 acf95e65e34a4303eba23280897b971ffcc4d32bd0950a49b50a52e8e425a1c6
enc: spi=cf9d8cfa esp=aes key=32 e3ab9aa28414ff705478695d32f20dd9bd189c4e86bb373fd5096d18fb8cfa75
ah=sha256 key=32 a5988db530312fd916b442c58678eff46ed253eef8aa8fa0a346cd6f977cc0d8
dec:pkts/bytes=1/84, enc:pkts/bytes=1/156
run_tally=1
Related articles:
Technical Tip: Explanation of the IKEv2 Phase2 Setting 'initiator-ts-narrow'
Technical Tip : Dynamic creation of IPsec tunnels (IKEv1 dynamic selector configuration)
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.