Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johnlloyd13
New Contributor III

Created on ‎09-12-2025 06:53 AM

FMG Tunnel Phase 2 Interface Mode

hi,

i'm moving an IKEv1 config from ASA to FGT.

the crypto ACL or interesting traffic have 3x "inside" source loopback IPs (object "NETWORK_3") and 1x "outside" public IP 46.3.2.1, i'd assume this is the public WAN IP of the remote device/FW.

 

access-list CMAP_ACL extended permit ip object-group NETWORK_3 host 46.3.2.1  <<< CRYPTO ACL/INTERESTING TRAFFIC

 

crypto map CMAP match address CMAP_ACL
crypto map CMAP set peer 46.3.2.1  <<<
crypto map CMAP set ikev1 transform-set TSET123

 

my questions are:

1.do i configure in FMG phase 2 tunnel quick mode selector local and remote subnets as 0.0.0.0/0 and then configure the 3x "inside" loopback IPs and 1x "outside" public IP in the VPN FW policy in/out rule?

 

image.png

 

image.png

 

2.do i  still need to configure a host route for 46.3.2.1 to hop via virtual/phase 1 tunnel and also its blackhole route?

image.png

 

 

Labels:
90
0 Kudos
4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

Created on ‎09-12-2025 08:33 AM

I'm guessing you used "include" to search access-list in the config so didn't see the next line.
As described in Cisco's doc below:
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios/218432-configure-a-site-to-site-ip...
, the access-list statement would have remote-network object specified "inside" of the acces-list clause.

object-group network local-network
 network-object 10.10.10.0 255.255.255.0
object-group network remote-network
 network-object 10.20.10.0 255.255.255.0

access-list asa-router-vpn extended permit ip object-group local-network 
 object-group remote-network

I would get the other side of configuration from whoever owns/manages the other end to make sure.

I'm not sure about your 2nd question. There needs to be a route, regularly a default route, for the peer IP toward the outgoing interface. But otherwise, nothing else additionally need to be configured for the peer IP routing-wise. It shows only in phase1-interface config as "remote-gw" IP in IKEv1 static IPsec.

Toshi

77
johnlloyd13
New Contributor III
In response to Toshi_Esumi

Created on ‎09-12-2025 05:34 PM

hi toshi,

thanks for your feedback!

for question 1, i'm referring to this kind of setup. refer link below wherein fortinet TAC recommends setting phase 2 local and remote subnets to 0.0.0.0/0 and just configure the "interesting traffic" or subnets for the VPN FW policy. is this a "good standard" practice?

https://www.reddit.com/r/fortinet/comments/zmq6o0/fortigate_support_recommended_specifying_0000_in/

 

i'd also like to expound question #2 regarding the "interesting" traffic or crypto ACL. the "remote-network" object is a public IP. it's a customer own device so i assume and most likely the case that 46.3.2.1 is their device WAN IP.

object-group network remote-network
 network-object 46.3.2.1 255.255.255.255

the FGT has a static default route to ISP. i only worry about the static routes i need to configure for ipsec/protected traffic since peer IP 46.3.2.1 "needs" to route via the internet for IKE to be established.

 

edit 1
 set dst 0.0.0.0 0.0.0.0 <<< DEFAULT ROUTE TO INTERNET
 set gateway 12.3.4.5 <<< ISP GW
 set device "port1" <<< WAN

edit 2
 set dst 46.3.2.1 255.255.255.255  <<<  IKE INTERESTING/PROTECTED TRAFFIC
 set device "tunnel-to-remote"
 set distance 10

 

edit 3
 set dst 46.3.2.1 255.255.255.255  <<<  IKE INTERESTING/PROTECTED TRAFFIC
 set blackhole enable
 set distance 250

 

61
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to johnlloyd13

Created on ‎09-12-2025 06:43 PM

As described in Cisco doc, the "remote-network" is remote location's LAN subnets. Not the peer IP(public IP) to establish the tunnel with. You should get the remote side phase2 config from the customer, which we regularly do when we need to set up IPsec with a 3rd party device. Everybody would understand the necessity.

Toshi

54
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎09-12-2025 07:29 PM

Or, since the tunnel is up now, what's in "show cry ipsec sa" at the ASA?
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/S/asa-command-ref-S/show-cr-to-...

Toshi

44
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.