I'm trying to create a ipsec VPN tunnel on routing policy by using VTI between Fortigate and Stormshield. Network side Stormshield is 172.28.100.0/24 And Fortigate side is 172.19.0.0/16 and 172.20.0.0/16 SNS vti is 192.168.155.3 FG vti is 192.168.155.1 On Stormshield in phase 2, I put VTI ip address on local network (192.168.155.3) and remote network (192.168.155.1).
Tunnel is up when phase 2 selector n Fortigate side: proxyid=HQ-wan1 proto=0 sa=1 ref=3 serial=1 ads src: 0:192.168.155.1-192.168.155.1:0 dst: 0:192.168.155.3-192.168.155.3:0
Fortigate drop packet because "No matching IPsec selector, drop" I have implement BGP routing and it's work.
The tunnel selectors should be using 172.19.0.0/16 and 172.20.0.0/16 as source and, 172.28.100.0 should be the destination. But I see the proxyid with src 192.168.155.1 and dst 192.168.155.3 which needs to be corrected.
You can check what needs to be put on stormshield config, but as you mentioned no matching selectors seen on FortiGate using the vti addresses in selectors, the traffic originated should match either by using selectors 0.0.0.0 to 0.0.0.0/0 on phase 2 on Fortigate, or the one suggested earlier.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.