Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Proper way to add multiple subnets in ipsec
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Proper way to add multiple subnets in ipsec
Hi,
I have two LAN Subnets that I added as a group under named-address in the IPsec tunnel but I am not able to connect to the remote subnet from both the source subnets. I can only ping the LAN IP Address of the firewall but cannot reach any of the devices in the remote subnet. I tried adding the 2nd subnet in an additional phase two but the same. If I use a single subnet, it works fine. Do I have to create another tunnel for the same remote subnet?
Thanks.
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this a Fortigate to Fortigate IPsec VPN tunnel? If it is then both groups and separating the subnets into there own phase two selector should work? You will also have to create security policies in order for the traffic to be allowed through the firewall.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the other side is a SonicWALL device.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From my experience working with IPSec VPN connection to Sonicwall, it would be required to configure multiple phase2 selectors due Sonicwall expects different SPI for each of the subnet. The relevant is also explained in the following document:
Cheers,
Kayzie Cheng
If you have found a solution, please like and accept it to make it easily accessible for others.
Kayzie Cheng
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to confirm if the remote side has been configured with the same settings. Technically, if you are using FortiGate on both end, configuring the address group would be sufficient. However, if you are using firewall of other vendor, such as Cisco and Sonicwall, you will want to configure multiple phase2 on FortiGate:
This is due to FortiGate uses the same SPI value to bring up the phase 2 negotiation for all of the subnets, while the Cisco ASA expects different SPI values for each of its configured subnets.
Cheers,
Kayzie Cheng
If you have found a solution, please like and accept it to make it easily accessible for others.
Kayzie Cheng
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Usually adding an address group as named address in ipsec p2 should work.
Probably execpt from Sonicwall as mentioned above. In this case you mighthave to have one p2 selector per subnet.
Also both sides have to have neccessary routing and policies.
Ipsec Tunnel will come up once there is at least one policy. But if there is no routes there will be no traffic through the tunnel.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @create_share,
As for testing, you can use 0.0.0.0/0 on both side for P2, then restrict the subnet in policy. After that, try to ping remote computer and run debug flow on FortiGate:
diag debug reset
diag debug flow filter addr X.X.X.X (replace with destination IP)
diag debug flow filter proto 1
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug ena
diag debug flow trace start 999
Regards,
Minh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @create_share.,
From what I've seen, named address group doesn't work really well with third party like Cisco and SonicWall. I would suggest using separate phase2 for each subnet.
Regards,
Created on 11-09-2023 07:45 AM Edited on 11-09-2023 09:01 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @create_share,
Please try to use the subnet instead of the name for the SA in Phase 2.
Make sure the local side and the remote side have the correct subnets.
Verify the Phase 2 is also up in the IPsec monitor.
Afterwards, you will want to run the debugs already provided if issue continues.
diag debug reset
diag debug flow filter addr X.X.X.X (replace with destination IP)
diag debug flow filter proto 1
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug en
diag debug flow trace start 5000
Best Wishes,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi create_share,
Please make sure you have a proper route configured for the remote subnets through the tunnel. If policies, routes and tunnel config is good and still facing issues, we will need to check the flow filter debug to check what is happening to the traffic.
Regards,
Vimala
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,597 -
FortiClient
1,732 -
5.2
801 -
FortiManager
719 -
5.4
639 -
FortiAnalyzer
551 -
FortiSwitch
467 -
FortiAP
464 -
FortiClient EMS
420 -
6.0
416 -
5.6
362 -
FortiMail
315 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
234 -
Fortiweb
203 -
IPsec
200 -
5.0
196 -
FortiNAC
185 -
FortiGuard
138 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
102 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiAuthenticator
94 -
FortiToken
89 -
Customer Service
79 -
Firewall policy
78 -
Wireless Controller
77 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
55 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
50 -
ZTNA
48 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
NAT
34 -
Certificate
34 -
RADIUS
32 -
SSO
31 -
Interface
31 -
FortiLink
29 -
FortiConnect
28 -
FortiWAN
27 -
VDOM
27 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Automation
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
Static route
13 -
FortiCASB
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Proxy policy
9 -
Intrusion prevention
9 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiGate-VM
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1679 | |
| 1085 | |
| 752 | |
| 446 | |
| 226 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.