Hi!
I've added a addressgroup under Remote Address for Phase 2 Selectors. Does this work or do I have to add the addresses separately?
Thank you.
How did you create a group in IPsec Phase2 setting GUI? I don't see any option to set a "group" there.
The traffic selectors are pare of local<->remote. If you need to set multiple subnets on remote side you need add a new set like 172.16.0.0/16<->192.168.0.0/16 and 172.16.0.0/16<->10.10.0.0/16.
Ok, through the wizard, you can put multiple subnets like my previous post on remote side separated by a comma ','. Then it would generate two pairs with the same local subnet.
It really depends
1: if it's FGT-to-FGT firewall and route-based, than a 0..0.0.0/0:0 is good enough
2: if it's FGT-toSRX firewall and route-based, than a 0..0.0.0/0:0 is good enough
3: if it a FGT-2- <insert almost anything else CHKP/SonicWall/ASA/ForcePT/pfSense > than unique src/dst-subnets or unique named-network-elements must be used in the phase2
YMMV, but the 1-3 rules are pretty much what it is
PCNSE
NSE
StrongSwan
Thank you for the answers. What I meant was that I added an address-group which contains more than one address into the Phase 2 Selectors Remote Address.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.