Problem adding a phase 2 Selector

Geoffrey · ‎02-02-2017

Hey guys,

I have an up and running site-to-site vpn between two fortigates.

This is the ip config:

Location 1: 10.1.20.0/24 -> 10.2.20.0/24

Location 2: 10.2.10.0/24 -> 10.1.20.0/24

This seems to be working well we can ping clients on both locations.

Now we want to add our server networks, i added a phase 2 selector like this:

Location 1: 10.1.10.0/24 -> 10.2.10.0/24

Location 2: 10.2.10.0/24 -> 10.1.10.0/24

I have added the static routes and firewall policies on both FG's, but we cannot ping any server on both locations.

Are we forgetting something? I checked the manual about vpn but i cannot for the life of me find what could be wrong.

Any vpn guru that can point me in the direction that i have to look in to?

Thx in advance!

moby · ‎02-02-2017

Hi Geoffrey,

Maybe there is something wrong with the selectors - -why don't you try and just configure 0.0.0.0/0.0.0.0 as the phase 2 selectors on both fortigates.

Moby

Alby23 · ‎02-02-2017

Are the SAs related to the second phase2 up?

Geoffrey · ‎02-02-2017

Hi all,

Thanks for the answers :)

I tried putting in 0.0.0.0/0.0.0.0 on both FG's and then everything works, but is this the good way to go?

@Alby23: How can i check if the SAs on the second phase are up? Is this in here Monitor -> IPsec Monitor?

Thanks!

MikePruett · ‎02-02-2017

Geoffrey,

It works but is considered a lazy and insecure way of doing things. Reason being, now any traffic can flow over that tunnel whereas with specific Phase2's it limits it to the interesting traffic mentioned there.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Geoffrey · ‎02-02-2017

I managed to make it somewhat work :p

Now i can ping from the HQ clients to the Branch Clients (10.1.20.0 -> 10.2.20.0)

I also can ping from HQ Servers to the Branch servers (10.1.10.0 -> 10.2.10.0)

But i can't seem to access the Branch clients with HQ servers and the HQ Servers with the branch clients. I suspect this has something to do with routing?

MikePruett · ‎02-02-2017

It sounds more like a policy issue. If you are able to PING then the devices involved know how to reach the remote subnet.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Toshi_Esumi · ‎02-02-2017

Check routing table on both sides if they have routes toward the tunnel for the subnets on the opposite side. We use 0/0<->0/0 for phase2 as long as it's main mode and restrict subnets by policies. If routes are there the policies must be restricting.

MikePruett · ‎02-02-2017

If he can ping the traffic knows where to go. Validation that proper policy is in place (with UTM that isn't killing the traffic you want) needs to be the next step IMO

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Toshi_Esumi · ‎02-02-2017

I just wanted to make sure it's 100% not routing issue, which isn't so difficult to confirm. "get router info routing-t all" in cli. You're most likely correct about the cause.

Problem adding a phase 2 Selector

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website