HI,
Just a quick question..
When will you use phase 2 selectors like 0.0.0.0 -> 0.0.0.0 and when wil you specify the local and remote subnet?
Is there a rule for that? Which one is preffered while building en IPSec?
Or is 0.0.0.0 0.0.0.0 used only while building IPSec between Fortigates?
Just crossing my mind...
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It really matters when you use it, but both side needs to be configured the same.
thoughts
1> when you use 0.0.0/0:0 ( aka quad 0s ) you loose the ability to get per src/dst SA flows details
2> many host of firewall support quad 0s, fortigate, juniper, chkp, strongswan, forcepoint, etc.......
3> why you might do quad0s over specific src/dst subnet-pair, Is due to the remote-side only supports quad0s ( ie like a cloud-provider ) or if you want to run a dynamic-routing protocol and will send various different networks across the tunnel
4> if you only want one ipsec-SA for monitoring purposes vrs trying to monitor up/down over X amount if vpn-tunnels
5> or if you want simpler configuration overall
Ken Felix
PCNSE
NSE
StrongSwan
Ok thanks for the reply... So even if I choose for the simpler configuration and use quad 0s on my Fortigate the other side must also support it and use it inside their P2.. Am I correct?
Yes, as Ken stated at the beginning. Both sides need to have the same selector sets. 0/0<->0/0 is not an exception.
For example Checkpoints do NOT support 0.0.0.0 selectors by default (i.e in 99% of deployments), only via VTI interfaces .
I, personally, unless explicitly required (e.g. VPN with AWS/Azure you have to use it or when using dynamic routing between peers), prefer specific selectors - just removes another weak link in the possible chain of failures.
If you are sure you will be setting up VPN between Fortigates only for ever after, then no problem - between Fortigates it works just fine.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.