FortiOS 5.0.9 using an interface based L2L tunnel with 3 phase2.
I am only able to bring up 2 phase 2's at a time, when I attempt to bring up the 3rd phase 2 (either in VPN monitor or with interesting traffic) the phase 2 listed below it in the list goes down.
All tunnels pass traffic properly when they are up, I just can't have all 3 up at the same time.
The 3 phase 2 are have the same config except for the source network is a different /24.
There is a route to the destination network pointing out the VPN sub-interface and 1 policy specifying the three source networks and the one destination network. Like I said communication through each P2 works fine when the tunnel is up, I just can't get all 3 P2 to stay up at the same time. Has anyone seen this or have any advise?
Thanks,
Paul
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Never heard of this. I have on some FGT, like 8 or more phase2 tunnlels with route based.
Qs?
Can you share the phase2 configs? Is the tunnel termination on another FGT?
Are you sure the remote device does not have any tunnel limitations?
Did yo run any diag debug like ike & diag vpn tunnel list ?
PCNSE
NSE
StrongSwan
Hi PaulM1114,
My guess is that you are not establishing a VPN between two FortiGates. If this is the case, what you will need to do is create separate P2s per source going to destination. For example:
Source Networks:
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
Destination Network:
172.16.0.0/24
Needed phase twos:
P2-1
192.168.0.0/24 -> 172.16.0.0/24
P2-2
192.168.1.0/24 -> 172.16.0.0/24
P2-3
192.168.2.0/24 -> 172.16.0.0/24
Once you do this, you should not have the problem any further when you try to bring up the phase 2 on the FortiGate. Please note, you will need to make sure the other side of the VPN tunnel is configured exactly the same.
As the previous poster mentioned, please provide us configs if you confirm this is how you have things set up. This is a very common issue due to misconfiguration, so if that is not the case, something else has to be the culprit.
Please let us know if this change works. I hope this helps!
Hi
So you are having one P1 to the same remote destination with three P2s each with a different source.
I suspect that there is an overlap probably because of subnet mask which might be mistyped. Please verify the config and share with us.
Regards
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
FWIW
If this is the case, what you will need to do is create separate P2s per source going to destination.
Actually if it's from FGT-2-FGT & a route-based vpn, he could actually get away with a single proxyid of 0.0.0.0/0:0 & just ensure the corrects routes and policies are in place the for the networks that would carry interesting traffic.
PCNSE
NSE
StrongSwan
@emnoc:
BIG "if"!
He still would need routes and policy objects for each subnet to make it work.
I personally always go the "multiple phase2" road because it's more RFC compliant, and self-documenting.
Could well be overlapping subnets, either given or accidentally by mistyping a subnet mask.
I personally list all unique src/dst subnets, but mainly to get statistics per SAs from the diag vpn tunnel list cmd. if you use the wildcard any, you will not get src-2-dst subnet details by each network.
FWIW;
In fortinet schools 7 teachings, they teach the simplified 0.0.0.0/0:0 method when we are going to FGT-2-FGT. It's one configuration that's mistake-free and like posted b4fore you still need routes and the correct fw-policies.
With a VPN to anything other than a fortigate appliance, your best bet is to use the individual src/dst and try to avoid the 0.0.0.0/0:0 approach. Word of advise from past, if you ever shoud see your self changing the VPN from a FGT-2-<some other vendor> is best to avoid the 0.0.0.0/0:0 approach imho.
PCNSE
NSE
StrongSwan
There is also a new command from FortiOS 5.2.1:
config vpn ipsec phase1-interface
edit <tunnel>
set mesh-selector-type subnet
end
With this is command you can have multiple subnets in source/destination in a single Phase2.
http://docs-legacy.fortinet.com/fos50hlp/52/index.html#page/FortiOS%205.2%20Help/ipsec.009.16.html
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Correct but you will still need to define the phase2 src/dst subnet in the phase2 configuration & they need to match the vpn remote peer. I wonder if this setting is what's dropped the p2 monitor reporting from the other threads on vpn phase2 details being missing ;)
PCNSE
NSE
StrongSwan
Yes, you still need to define them, but you can do so with an address object.
One of the biggest pain was the paring of subnets,
If you had 10 subnets on each side you would have to create almost 100 Phase2 if you needed "any-any" traffic.
Now you can group the objects into a Group and the firewall will take care of the pairing of subnets, thank lord...I mean Fortinet ;)
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.