Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGuest
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Adding more subnets to existing tunnel
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding more subnets to existing tunnel
Hi
I have some issues when i add subnets to an existing vpn tunnel.
For example i have in phase2 address groups with only one source
and one destionation subnet.
Tunnel is up and running with these and the i add on both side another subnet.
I can see in VPN/Monitor that the new subnet is not in the source or destionation on the other side only the original subnet.
I can take down the tunnel and the bring it up but is does not help.
I have tried cli commands:
diagnose vpn tunnel flush/reset/dumpsa etc nothing clears out the old config.
Only way to be 100% sure is to remove old and paste it back into cli with
the new subnet, or reboot the fortigate.
I have this issue on multiple versions, FortiOS 4 branch, 5 branch...
Does anyone else have this issue and does someone know a better way to resolve it ?
Example of running tunnel with this issue
name=MGMT ver=1 serial=42 111.222.222.222:0->222.111.111.111:0 lgwy=dyn tun=intf mode=auto bound_if=16
proxyid_num=1 child_num=0 refcnt=5 ilast=90 olast=90
stat: rxp=52851 txp=61272 rxb=24854888 txb=5249462
dpd: mode=active on=0 idle=5000ms retry=3 count=0 seqno=80939
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=MGMT-2 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1
src: 0:10.10.10.0/255.255.255.192:0
dst: 0:10.2.0.0/255.255.255.0:0
SA: ref=3 options=0000000e type=00 soft=0 mtu=1436 expire=1740 replaywin=1024 seqno=1
life: type=01 bytes=0/0 timeout=1747/1800
dec: spi=fd2887b0 esp=3des key=24 41f8e32f3502ce3619c8e858f6d2cf64dca029d30498a68b
ah=sha1 key=20 5dcb309a77a4f040c52dc99de21a4de61ef84857
enc: spi=f464468b esp=3des key=24 c9848deada3c3620d3c4e8f89bf690906b250e4feafa2ac5
ah=sha1 key=20 b8e2c4ed2e035315a0071150ff39684bd2f83edc
config phase 2
edit " MGMT-2"
set dst-addr-type name
set phase1name " MGMT"
set proposal 3des-sha1 aes128-sha1
set src-addr-type name
set dst-name " mgmt-destinations"
set src-name " mgmt-network"
next
firewall group
edit " mgmt-destinations"
set member " 10.2.0.0/24" " 10.3.1.0/25"
next
Tunnel is interface based but it does not matter which mode i use.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
the only thing I can say is following:
- As you define destination within Phase2 I' m thinking you are using Quick Mode which is actually not needed this means if I do VPN I do it in the classic way for interface mode never using Quick Mode (only for interobability device):
- Create Phase1/2 nothing special not using Quick Mode in Phase2. Using keep alive etc. if you like that tunnel is always up and running
- After creating Phas1/2 route subnet from other site static within Routing (use Phase1 Interface in routing)
- After that create normal Address Policy with destination and/or source Phase1 interface.
That' s it....you can route as many subent as you want (do not forgett to use always a static route to the corresponding phase1 interface). Wihtin the policy you can add as many subent as you want no poblem.
Follow always the rule:
That what is in the rule as destination to the other site has to be routet within static route to the corresponding phas1 interface.
If you have mesh topology do exact the same...it is a little bit complecater to not loose overview but actually exact the same.
If you follow this you can do whatever you want. Keep in mind that you don' t have somewhere overlapping subnets (overlapping enc domains). If so do the same and use Central Nat table to translate as VIP for incoming requests. Keep also in mind first NAT and after Route and not Route for NAT.
hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Andrea
Thanks for your reply, so you mean is should use 0.0.0.0/0 in source and destination
in the quick mode selector ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that will only work if the default gateway of the Firewall in the IPsec tunnel as well, otherwise you will have dual default gateway which will mess up your internet connection.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I object to using wildcard QM selectors (' 0.0.0.0/0' ).
The QM selector determines which traffic is allowed to start a tunnel negotiation, and which traffic to transfer through it. With wildcards any traffic will bring the tunnel up so you lose a bit of control here.
Besides, seeing the subnets in phase2 documents which traffic you intend to send over the tunnel. This is easily matched with the static route(s) necessary.
Remember that you need these routes on both sides of the tunnel.
AFAIK wildcard QM selectors only work for FGT-to-FGT tunnels. As soon as you have to link to a Cisco or Juniper gateway you need to specify exact subnets.
BTW, Cisco doesn' t understand address groups in QM - use one numeric subnet per phase2, use multiple phase2' s for multiple subnets behind the tunnel.
That' s what I would try in your case as well - get rid of the address group and create multiple phase2' s. This doesn' t determine why your setup didn' t run but most probably fixes the issue.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that is a good suggestion and would probably work well.
I have seen this issue on vpn tunnels with FGT in one end and Cisco ASA in the other end, that time i had three subnets and the Cisco used only two no matter
what, and it was random so it may be something that ipsec vpn is not designed to do.
Labels
-
FortiGate
9,345 -
FortiClient
1,895 -
5.2
801 -
FortiManager
793 -
5.4
639 -
FortiAnalyzer
606 -
FortiSwitch
510 -
FortiAP
503 -
FortiClient EMS
470 -
6.0
416 -
5.6
362 -
FortiMail
338 -
SSL-VPN
295 -
IPsec
272 -
6.2
251 -
FortiAuthenticator v5.5
234 -
FortiWeb
224 -
FortiNAC
220 -
5.0
196 -
FortiGuard
149 -
SD-WAN
139 -
6.4
128 -
FortiAuthenticator
128 -
FortiGateCloud
104 -
Firewall policy
104 -
FortiSIEM
102 -
FortiCloud Products
102 -
FortiToken
96 -
Wireless Controller
86 -
Customer Service
81 -
FortiProxy
72 -
High Availability
68 -
4.0MR3
64 -
FortiEDR
61 -
Fortivoice
60 -
FortiADC
57 -
Routing
56 -
ZTNA
56 -
VLAN
55 -
DNS
54 -
BGP
49 -
RADIUS
48 -
LDAP
48 -
FortiSandbox
47 -
SAML
47 -
Authentication
47 -
FortiExtender
46 -
NAT
45 -
Certificate
44 -
SSO
43 -
FortiGate-VM
42 -
FortiDNS
42 -
FortiGate v5.4
35 -
VDOM
35 -
FortiSwitch v6.4
34 -
FortiLink
34 -
Interface
33 -
Application control
33 -
FortiConnect
32 -
Logging
30 -
FortiWAN
28 -
Virtual IP
28 -
Web profile
27 -
FortiGate v5.2
26 -
FortiConverter
26 -
FortiPAM
25 -
FortiPortal
23 -
SSL SSH inspection
23 -
FortiGate Cloud
21 -
Static route
21 -
FortiSwitch v6.2
20 -
Traffic shaping
20 -
Automation
20 -
SSID
19 -
snmp
18 -
FortiMonitor
18 -
OSPF
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
FortiCASB
14 -
Admin
14 -
Security profile
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
API
13 -
FortiManager v5.0
12 -
IPS signature
12 -
Proxy policy
12 -
FortiManager v4.0
11 -
FortiRecorder
11 -
FortiAP profile
11 -
FortiBridge
10 -
Explicit proxy
10 -
Traffic shaping policy
10 -
Port policy
10 -
Intrusion prevention
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiWeb v5.0
9 -
Web rating
9 -
FortiDeceptor
8 -
FortiCache
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
trunk
8 -
Users
8 -
Antivirus profile
8 -
Traffic shaping profile
8 -
Fabric connector
8 -
Fortinet Engage Partner Program
8 -
4.0
7 -
FortiToken Cloud
6 -
Packet capture
6 -
Authentication rule and scheme
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
Application signature
5 -
Email filter profile
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
NAC policy
4 -
DLP profile
4 -
DLP sensor
4 -
Netflow
4 -
Protocol option
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
VoIP profile
4 -
Multicast routing
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
DLP Dictionary
3 -
DoS policy
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
File filter
2 -
Schedule
2 -
Zone
2 -
Vulnerability Management
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2035 | |
| 1164 | |
| 770 | |
| 448 | |
| 327 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.