Hi Firewall Gurus,
I'm looking for best practice for the phase 2 selector subnets in a general case. I understand in some case it requires to use 0.0.0.0/0. I'm talking about in decent network segmentation internal network that connects to outside. Is it better to have broader range of subnet or as specific as possible. For example, if I have a /16 subnets, but I only need to allow one or two /32 IP addresses from the other side of VPN tunnel. Do I create two /32 selectors or one /16? Thank you.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You always need to think about the selectors as a pair like 0.0.0.0/0<->192.168.1.0/24 in case their internet need to go through the other end. It's completely up to you if you want to create two pairs like x.x.x.x/32<->192.168.1.0/24 and y.y.y.y/32<->192.168.1.0/24, or aggregate those two IPs in a super subnet and make only one selector set. But /16 sounds too wide open compared to 2 x /32s.
You can always limit accesses with policies which IPs are reachable or not so I wouldn't make at least not too strict.
In case a routing protocol needs to advertise routes, you have to use 0.0.0.0/0<->0.0.0.0/0, which is the default selector.
Toshi
Here's my two cents about this...
The only time you'd want to specify the P2 selectors is when using policy-based IPsec VPN on one side or both. For route-based IPsec VPN on both sides leave them at 0.0.0.0/0. Using P2 selectors on route-based IPsec VPN doesn't add anything other than complexity.
If you do have policy-based IPSec VPN on one or both sides, you'd want to consider how you want the routing to be. If you route a big subnet into the tunnel that can potentially create issues further down the line, so you'd want to keep it as small as possible, but also as few P2s as possible. If you have two /32s in the same /24, and routing that into the tunnel won't create any issues, sure, do that. But if you have two /32s far apart (requiring /22, /19, etc) it would probably be better to have two individual P2s. Both sides need to agree on what the selectors should look like, so there isn't really a "best practice" that always applies. Sometimes you end up with a bunch of P2s, other times you can get by with one.
Hope my answer helped!
You always need to think about the selectors as a pair like 0.0.0.0/0<->192.168.1.0/24 in case their internet need to go through the other end. It's completely up to you if you want to create two pairs like x.x.x.x/32<->192.168.1.0/24 and y.y.y.y/32<->192.168.1.0/24, or aggregate those two IPs in a super subnet and make only one selector set. But /16 sounds too wide open compared to 2 x /32s.
You can always limit accesses with policies which IPs are reachable or not so I wouldn't make at least not too strict.
In case a routing protocol needs to advertise routes, you have to use 0.0.0.0/0<->0.0.0.0/0, which is the default selector.
Toshi
Thank you for the info. The more selectors we have, the more negotiation we need, e.g. multiple SA. Is that true? phase 2 selectors need to be negotiated one by one. If we have one broader range, and like you said use policy to restrict each access, wouldn't it better?
Created on 12-13-2022 04:16 PM Edited on 12-13-2022 04:16 PM
Basically independent. Needs to have a matching traffic otherwise they don't come up. It's depending on the definition of "better". More restrict/secure or faster/more flexible. Answer would be different depending on who you ask to.
Here's my two cents about this...
The only time you'd want to specify the P2 selectors is when using policy-based IPsec VPN on one side or both. For route-based IPsec VPN on both sides leave them at 0.0.0.0/0. Using P2 selectors on route-based IPsec VPN doesn't add anything other than complexity.
If you do have policy-based IPSec VPN on one or both sides, you'd want to consider how you want the routing to be. If you route a big subnet into the tunnel that can potentially create issues further down the line, so you'd want to keep it as small as possible, but also as few P2s as possible. If you have two /32s in the same /24, and routing that into the tunnel won't create any issues, sure, do that. But if you have two /32s far apart (requiring /22, /19, etc) it would probably be better to have two individual P2s. Both sides need to agree on what the selectors should look like, so there isn't really a "best practice" that always applies. Sometimes you end up with a bunch of P2s, other times you can get by with one.
Hope my answer helped!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1519 | |
1019 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.