MULTIPLE PHASE 2 BETWEEN FORTIGATE AND VELOCLOUD GATEWAY
Hi guys! I have a problem with a vpn ipsec between my appliance fortigate and the velocloud gateway that is manage by my service provider. The problem is that multiple phase 2 are generated until reaching the point of having more than 500. They are generated automatically, I only have 10 declared.
Has anyone had this same problem? and how did they solve it?
We have experienced a similiar issue - not with Velocloud, but with a Sophos XG on the other end. Although only two Phase2 Selectors are configured for this particular VPN-Tunnel, after a while we have seen 16 Phase2 Selectors at the VPN-Tunnel Table. The most interesting part is, that the additional Phase2 Selectos shows a ProxyID with a IP from the local subnet. Every additional Phase2 Selector has a unique Proxy-ID IP. No idea where this comes from...
Any chance you're using IKEv2? IKEv2 natively allows selector narrowing (negotiating a phase2 as a sub-set of the configured range). This could even lead to individual host-to-host selectors/phase2s, so if you're using IKEv2, this will heavily depend on what the two sides are negotiating.
Thank you fort that hint. IKEv2 is in use indeed. As the other end is extenally managed, I have only limited options to check what both sites are doing. However - a solid foundation talking to the other end ;) - Again - Thank you
I would expect ike -1 debug to give some ideas as to how these selectors came to be. If the issue is reproducible, you can take the tunnel down, enable the debugs, then bring it up and gather the logs. If you're not comfortable with parsing the outputs (it's not always pleasant :) ), you could open a TAC case to get help with understanding the logs, which will hopefully explain how the multiple phase2 SA come to be.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.