Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortiFWuser
Contributor

IpSec VPN phase 2 selectors

Hello, 

 

I have set up a custom S2S VPN

At the Phase 2 Selectors I have configured "Named Address" objects with groups 

The local group contains 2 IPs, and the remote contains a subnet and 2 IPs. 

At the IPSEC Monitor though I see two phase 2 selectors. 

 

Why is that?

 

Thanks and regards, 

Konstantinos

9 REPLIES 9
akristof
Staff
Staff

Hi,

It depends on multiple factors. Is it ikev2? Is it s2s between FortiGates? You can check "diag vpn tunnel list" and check the VPN to see what exactly was negotiated.

Adrian
fortiFWuser

Hello, 

 

Yes it is ikev2

It is not btw fortigate. It is custom

 

 

akristof

In that case, you might seeing selectors-narrowing. If you don't have exactly same selectors in groups, they might get narrowed, for example if you have /24 on one side and /26 on other. In that case you will see 2 phase2s, one original one created by you and other that was negotiated.

Adrian
fortiFWuser
Contributor

So the other side could have different local or remote subnets. 

I will check the logs

 

 

seshuganesh
Staff
Staff

Hi Team,

 

Could you please paste the screenshot of local and remote phase2 selectors in foritgate firewall.

We will keep you posted

 

fortiFWuser
Contributor

fortiFWuser_0-1655455359208.png

audiocodesLocalGrp contains 2 private IPs 

10.16.239.205/32
10.16.239.206/32

audiocodesSubnetsGrp contains 2 private IPs and a subnet

192.168.213.100/32

192.168.203.24/32

192.168.212.128/25

 

 

 

seshuganesh

Thanks for sharing the selectors.

I believe firewall will narrow down phase 2 selectors in this way:

First phase 2 selector:

10.16.239.205/32 

 

192.168.213.100/32

192.168.203.24/32

192.168.212.128/25

 

Second phase 2 selector:

10.16.239.206/32

 

192.168.213.100/32

192.168.203.24/32

192.168.212.128/25

 

Lets wait for colleagues to confirm this

akristof

Hi,

Again, it depends what has remote end configured. Because, for example, take a look at this example. FortiGate1:

akristof_0-1655458558699.png

FortiGate2:

akristof_1-1655458582613.png

Because FGT1 had /32 as local selectors and FGT2 had /24, during negotiation selectors on FGT2 got narrowed. So it will show you that you have 2 phase2s on FGT2 - original one, that you configured and "new dynamic" that is result of selectors narrowing. On FGT1 it still show you only 1 phase2 because what is configured, is in fact negotiated. To summarize this, the fact that you see 2 phase2s, doesn't mean that something is wrong.

Adrian
ervinjason
New Contributor

It depends on multiple factors. Is it ikev2? Is it s2s between FortiGates? You can check "diag vpn tunnel list" and check the VPN to see what exactly was negotiated.

Alight Motion on PC is the first professional motion design app bringing you professional-quality animation, motion graphics, visual effects, video editing, video compositing, and more!
Alight Motion on PC is the first professional motion design app bringing you professional-quality animation, motion graphics, visual effects, video editing, video compositing, and more!
Labels
Top Kudoed Authors