Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bvagadia
Staff
Staff

Created on ‎02-19-2022 04:33 AM Edited on ‎02-19-2022 07:34 AM By Community Manager

Article Id 205118

Technical Tip: IPsec VPN between FortiGate and other Vendor with multiple subnets

Description This article addresses the issue of not being able to reach out to peer IP when connecting to a non FortiGate unit with multiple subnets configured.
Scope  
Solution

If there are more than one subnets (both local and remote) configured over the IPsec VPN, there should be more than one phase2 selector configured instead of including multiple firewall addresses in a single firewall deal with group and defining it as a single phase2 selector.

The purpose is that once there's only one phase2 selector defined on the FortiGate, it will use the identical SPI value to deliver up segment 2 for all the subnets which are configured on its phase2.


this doesn't regularly work with supplier units because it expects exceptional SPI values for all the configured subnets.

Therefore, it is advised to apply separate phase2 selectors when the IPsec VPN tunnel is configured among FortiGate and third-party vendors as every vendor has its own IPSec implementation.


The answer is to configure multiple phase2 selectors on the FortiGate in order that every of the configured phase2 will use a completely unique SPI value for every of the one-of-a-kind subnets.

 

Route-based IPsec VPN.

# config vpn ipsec phase2-interface
    edit "First subnet"
        set phase1name "VPN to Cisco"
        set auto-negotiate enable
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 10.142.0.0 255.255.254.0
    next
    edit "Second subnet"
        set phase1name "VPN to Cisco"
        set auto-negotiate enable
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 10.143.0.0 255.255.254.0
    next
end

 

Policy Based IPsec VPN.

# config vpn ipsec phase2
    edit "First subnet"
        set phase1name "VPN to Cisco"
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 10.142.0.0 255.255.254.0
    next
    edit "Second subnet"
        set phase1name "VPN to Cisco"
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 10.143.0.0 255.255.254.0

 

 

It is possible to configure mesh-selector-type.

 

mesh-selector-type {disable | subnet | host}

 

Note.

This entry is only available when ike-version is set to 1.

Disable (by default) or set dynamic mesh selectors for IKEv1 VPNs to either subnet or host.

 

Note that dynamic selectors are not saved to the configuration and will be removed when tunnels are flushed.

 

Use subnet to install a selector for the address group that matches traffic packets.

 

Use host to install selector for the source and destination IP addresses of traffic packets.
6499
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.