FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bvagadia
Staff
Staff
Article Id 205118
Description This article addresses the issue of not being able to reach out to peer IP when connecting to a non FortiGate unit with multiple subnets configured.
Scope  
Solution

If there are more than one subnets (both local and remote) configured over the IPsec VPN, there should be more than one phase2 selector configured instead of including multiple firewall addresses in a single firewall deal with group and defining it as a single phase2 selector.

The purpose is that once there's only one phase2 selector defined on the FortiGate, it will use the identical SPI value to deliver up segment 2 for all the subnets which are configured on its phase2.


this doesn't regularly work with supplier units because it expects exceptional SPI values for all the configured subnets.

Therefore, it is advised to apply separate phase2 selectors when the IPsec VPN tunnel is configured among FortiGate and third-party vendors as every vendor has its own IPSec implementation.


The answer is to configure multiple phase2 selectors on the FortiGate in order that every of the configured phase2 will use a completely unique SPI value for every of the one-of-a-kind subnets.

 

Route-based IPsec VPN.

# config vpn ipsec phase2-interface
    edit "First subnet"
        set phase1name "VPN to Cisco"
        set auto-negotiate enable
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 10.142.0.0 255.255.254.0
    next
    edit "Second subnet"
        set phase1name "VPN to Cisco"
        set auto-negotiate enable
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 10.143.0.0 255.255.254.0
    next
end

 

Policy Based IPsec VPN.

# config vpn ipsec phase2
    edit "First subnet"
        set phase1name "VPN to Cisco"
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 10.142.0.0 255.255.254.0
    next
    edit "Second subnet"
        set phase1name "VPN to Cisco"
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 10.143.0.0 255.255.254.0

 

 

It is possible to configure mesh-selector-type.

 

mesh-selector-type {disable | subnet | host}

 

Note.

This entry is only available when ike-version is set to 1.

Disable (by default) or set dynamic mesh selectors for IKEv1 VPNs to either subnet or host.

 

Note that dynamic selectors are not saved to the configuration and will be removed when tunnels are flushed.

 

Use subnet to install a selector for the address group that matches traffic packets.

 

Use host to install selector for the source and destination IP addresses of traffic packets.

Contributors