Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
polarpanda
New Contributor II

IPsec VPN Phase 2 Selector Subnets Best Practice

Hi Firewall Gurus,

 

              I'm looking for best practice for the phase 2 selector subnets in a general case. I understand in some case it requires to use 0.0.0.0/0. I'm talking about in decent network segmentation internal network that connects to outside. Is it better to have broader range of subnet or as specific as possible. For example, if I have a /16 subnets, but I only need to allow one or two /32 IP addresses from the other side of VPN tunnel. Do I create two /32 selectors or one /16? Thank you.

 

 

2 Solutions
Toshi_Esumi
SuperUser
SuperUser

You always need to think about the selectors as a pair like 0.0.0.0/0<->192.168.1.0/24 in case their internet need to go through the other end. It's completely up to you if you want to create two pairs like x.x.x.x/32<->192.168.1.0/24 and y.y.y.y/32<->192.168.1.0/24, or aggregate those two IPs in a super subnet and make only one selector set. But /16 sounds too wide open compared to 2 x /32s. 

You can always limit accesses with policies which IPs are reachable or not so I wouldn't make at least not too strict.

In case a routing protocol needs to advertise routes, you have to use 0.0.0.0/0<->0.0.0.0/0, which is the default selector.

 

Toshi

View solution in original post

FredPaul
New Contributor III

Here's my two cents about this...

The only time you'd want to specify the P2 selectors is when using policy-based IPsec VPN on one side or both. For route-based IPsec VPN on both sides leave them at 0.0.0.0/0. Using P2 selectors on route-based IPsec VPN doesn't add anything other than complexity.

If you do have policy-based IPSec VPN on one or both sides, you'd want to consider how you want the routing to be. If you route a big subnet into the tunnel that can potentially create issues further down the line, so you'd want to keep it as small as possible, but also as few P2s as possible. If you have two /32s in the same /24, and routing that into the tunnel won't create any issues, sure, do that. But if you have two /32s far apart (requiring /22, /19, etc) it would probably be better to have two individual P2s. Both sides need to agree on what the selectors should look like, so there isn't really a "best practice" that always applies. Sometimes you end up with a bunch of P2s, other times you can get by with one.

Hope my answer helped!

-Fredrik

View solution in original post

-Fredrik
4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

You always need to think about the selectors as a pair like 0.0.0.0/0<->192.168.1.0/24 in case their internet need to go through the other end. It's completely up to you if you want to create two pairs like x.x.x.x/32<->192.168.1.0/24 and y.y.y.y/32<->192.168.1.0/24, or aggregate those two IPs in a super subnet and make only one selector set. But /16 sounds too wide open compared to 2 x /32s. 

You can always limit accesses with policies which IPs are reachable or not so I wouldn't make at least not too strict.

In case a routing protocol needs to advertise routes, you have to use 0.0.0.0/0<->0.0.0.0/0, which is the default selector.

 

Toshi

polarpanda

Thank you for the info. The more selectors we have, the more negotiation we need, e.g. multiple SA. Is that true? phase 2 selectors need to be negotiated one by one. If we have one broader range, and like you said use policy to restrict each access, wouldn't it better? 

Toshi_Esumi

Basically independent. Needs to have a matching traffic otherwise they don't come up. It's depending on the definition of "better". More restrict/secure or faster/more flexible. Answer would be different depending on who you ask to.

FredPaul
New Contributor III

Here's my two cents about this...

The only time you'd want to specify the P2 selectors is when using policy-based IPsec VPN on one side or both. For route-based IPsec VPN on both sides leave them at 0.0.0.0/0. Using P2 selectors on route-based IPsec VPN doesn't add anything other than complexity.

If you do have policy-based IPSec VPN on one or both sides, you'd want to consider how you want the routing to be. If you route a big subnet into the tunnel that can potentially create issues further down the line, so you'd want to keep it as small as possible, but also as few P2s as possible. If you have two /32s in the same /24, and routing that into the tunnel won't create any issues, sure, do that. But if you have two /32s far apart (requiring /22, /19, etc) it would probably be better to have two individual P2s. Both sides need to agree on what the selectors should look like, so there isn't really a "best practice" that always applies. Sometimes you end up with a bunch of P2s, other times you can get by with one.

Hope my answer helped!

-Fredrik
-Fredrik
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors