Hello,
I have set up a custom S2S VPN
At the Phase 2 Selectors I have configured "Named Address" objects with groups
The local group contains 2 IPs, and the remote contains a subnet and 2 IPs.
At the IPSEC Monitor though I see two phase 2 selectors.
Why is that?
Thanks and regards,
Konstantinos
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
It depends on multiple factors. Is it ikev2? Is it s2s between FortiGates? You can check "diag vpn tunnel list" and check the VPN to see what exactly was negotiated.
Hello,
Yes it is ikev2
It is not btw fortigate. It is custom
In that case, you might seeing selectors-narrowing. If you don't have exactly same selectors in groups, they might get narrowed, for example if you have /24 on one side and /26 on other. In that case you will see 2 phase2s, one original one created by you and other that was negotiated.
So the other side could have different local or remote subnets.
I will check the logs
Hi Team,
Could you please paste the screenshot of local and remote phase2 selectors in foritgate firewall.
We will keep you posted
audiocodesLocalGrp contains 2 private IPs
audiocodesSubnetsGrp contains 2 private IPs and a subnet
192.168.213.100/32
192.168.203.24/32
192.168.212.128/25
Thanks for sharing the selectors.
I believe firewall will narrow down phase 2 selectors in this way:
First phase 2 selector:
10.16.239.205/32
192.168.213.100/32
192.168.203.24/32
192.168.212.128/25
Second phase 2 selector:
10.16.239.206/32
192.168.213.100/32
192.168.203.24/32
192.168.212.128/25
Lets wait for colleagues to confirm this
Hi,
Again, it depends what has remote end configured. Because, for example, take a look at this example. FortiGate1:
FortiGate2:
Because FGT1 had /32 as local selectors and FGT2 had /24, during negotiation selectors on FGT2 got narrowed. So it will show you that you have 2 phase2s on FGT2 - original one, that you configured and "new dynamic" that is result of selectors narrowing. On FGT1 it still show you only 1 phase2 because what is configured, is in fact negotiated. To summarize this, the fact that you see 2 phase2s, doesn't mean that something is wrong.
It depends on multiple factors. Is it ikev2? Is it s2s between FortiGates? You can check "diag vpn tunnel list" and check the VPN to see what exactly was negotiated.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1667 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.