Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
create_share
New Contributor

Proper way to add multiple subnets in ipsec

Hi,

 

I have two LAN Subnets that I added as a group under named-address in the IPsec tunnel but I am not able to connect to the remote subnet from both the source subnets. I can only ping the LAN IP Address of the firewall but cannot reach any of the devices in the remote subnet. I tried adding the 2nd subnet in an additional phase two but the same. If I use a single subnet, it works fine. Do I have to create another tunnel for the same remote subnet?

 

Thanks.

9 REPLIES 9
GG-USMC
New Contributor

Is this a Fortigate to Fortigate IPsec VPN tunnel? If it is then both groups and separating the subnets into there own phase two selector should work? You will also have to create security policies in order for the traffic to be allowed through the firewall. 

 

create_share

Yes, the other side is a SonicWALL device.

kcheng

Hi @create_share 

 

From my experience working with IPSec VPN connection to Sonicwall, it would be required to configure multiple phase2 selectors due Sonicwall expects different SPI for each of the subnet. The relevant is also explained in the following document:

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/666100/ipsec-vpn-between-a-f...

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
kcheng
Staff
Staff

Hi @create_share 

 

You will need to confirm if the remote side has been configured with the same settings. Technically, if you are using FortiGate on both end, configuring the address group would be sufficient. However, if you are using firewall of other vendor, such as Cisco and Sonicwall, you will want to configure multiple phase2 on FortiGate:

\https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/666100/ipsec-vpn-between-a-f...

 

This is due to FortiGate uses the same SPI value to bring up the phase 2 negotiation for all of the subnets, while the Cisco ASA expects different SPI values for each of its configured subnets.

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
sw2090
Honored Contributor

Usually adding an address group as named address in ipsec p2 should work. 

Probably execpt from Sonicwall as mentioned above. In this case you mighthave to have one p2 selector per subnet.

 

Also both sides have to have neccessary routing and policies.

Ipsec Tunnel will come up once there is at least one policy. But if there is no routes there will be no traffic through the tunnel.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
mle2802
Staff
Staff

Hi @create_share,

As for testing, you can use 0.0.0.0/0 on both side for P2, then restrict the subnet in policy. After that, try to ping remote computer and run debug flow on FortiGate:

diag debug reset
diag debug flow filter addr X.X.X.X (replace with destination IP)
diag debug flow filter proto 1
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug ena
diag debug flow trace start 999

Regards,
Minh

hbac
Staff
Staff

Hi @create_share.,

 

From what I've seen, named address group doesn't work really well with third party like Cisco and SonicWall. I would suggest using separate phase2 for each subnet. 

 

Regards, 

roddy
New Contributor

Hi @create_share,

 

Please try to use the subnet instead of the name for the SA in Phase 2.

Make sure the local side and the remote side have the correct subnets. 

Verify the Phase 2 is also up in the IPsec monitor.

Afterwards, you will want to run the debugs already provided if issue continues. 

 

diag debug reset
diag debug flow filter addr X.X.X.X (replace with destination IP)
diag debug flow filter proto 1
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug en
diag debug flow trace start 5000

 

Best Wishes,

kvimaladevi
Staff
Staff

Hi create_share,

 

Please make sure you have a proper route configured for the remote subnets through the tunnel. If policies, routes and tunnel config is good and still facing issues, we will need to check the flow filter debug to check what is happening to the traffic.

 

Regards,

Vimala

Top Kudoed Authors