Hi,
HQ Local subnet 0.0.0.0/0 Remote Subnet 0.0.0.0/0 Branch Local subnet 10.0.2.0/24 Remote Subnet 10.0.3.0/24 Can I choose the above configuration for ipsec site-to site vpn , Does it work ? What Will happen If I choose locan and remote subnet is 0.0.0.0 in HQ Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
'0.0.0.0/0' is the notation for a wildcard address in FortiOS.
For a site-to-site tunnel I would always put in the explicit network(s) in the phase2 QM selectors. They are part of the negotiations. I would assume that the tunnel will not get up successfully as you offer explicit networks from one side and wildcards from the HQ side.
Besides, you will have to know the networks in advance anyway, to establish the routing.
This would be different if both sides had the wildcard addresses.
In fact this will be used when building a dial-in tunnel, as you would not know the remote subnet addresses in advance.
Either are okay, but like Ede I place explicit local/remote ( src/dst-subnets ). I do this so I can get "statistics" per-each network, where as a single 0.0.0.0/0 will not provide you any details if a network over the vpn is or is not working if you have multiples.
Remember in route-based vpn the routing is what place traffic over the vpn interface.
Ken Felix
PCNSE
NSE
StrongSwan
Hi ken
emnoc wrote:Either are okay, but like Ede I place explicit local/remote ( src/dst-subnets ). I do this so I can get "statistics" per-each network, where as a single 0.0.0.0/0 will not provide you any details if a network over the vpn is or is not working if you have multiples.
Remember in route-based vpn the routing is what place traffic over the vpn interface.
can you elaborate the statement "Remember in route-based vpn the routing is what place traffic over the vpn interface."
Thanks
ede_pfau wrote:'0.0.0.0/0' is the notation for a wildcard address in FortiOS.
For a site-to-site tunnel I would always put in the explicit network(s) in the phase2 QM selectors. They are part of the negotiations. I would assume that the tunnel will not get up successfully as you offer explicit networks from one side and wildcards from the HQ side.
Besides, you will have to know the networks in advance anyway, to establish the routing.
This would be different if both sides had the wildcard addresses.
In fact this will be used when building a dial-in tunnel, as you would not know the remote subnet addresses in advance.
This is already implemented in a live environment and the tunnel is also up .
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1583 | |
1038 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.