Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiOSman
New Contributor III

Wildcard network for IPSEC phase2 selectors

Hello,

 

Is anyone running 0.0.0.0/0.0.0.0 as the source and destination for a P2 selector? 

I have a growing list of about 30 P2's that would be much easier to manage if it were just the one wildcard entry. I would still be controlling the traffic on my policies.

 

Any pros/cons to doing it this way? The unit on the other side of the tunnel is a Fortigate as well. 

 

 

Thanks

1 Solution
emnoc
Esteemed Contributor III

yes and no 

 

PRO

 

[ul]
  • Simple fool proof
  • one time configure ( still requires routs and fwpolicies )
  • ease of management ( configure it once and forget about it )[/ul]

     

    CON

     

    [ul]
  • Statistics  will not show you if one local/remote subnet traffic selector has problems
  • not compatible with certain firewall or VirtDC vpns ( juniper and panos supports it but  ciscoASA, and most linux of  BSD solutions don't )
  • probably not benetficial in a hub-to-spoke sets  &  at the spokes
  • No means to set IPSEC-SA key life for specific local/remote-subnets if you want or need  less or more key life renewals
  • if you are a fan of fortinet and drink the kook-aid they recommend   specific src/dst-nets in the BCP in a "dialup"vpn
  • any traffic can bring up a tunnel regardless if it correct or a mistake ( no control on what can bring a IPSEC-SA tunnel up )
  • if you monitor or like to monitor SPIs and for specific unique traffic pairs you can loose that visibility with quad 0s[/ul]

     

     

     

    YMMV

     

  • PCNSE 

    NSE 

    StrongSwan  

    View solution in original post

    PCNSE NSE StrongSwan
    3 REPLIES 3
    emnoc
    Esteemed Contributor III

    yes and no 

     

    PRO

     

    [ul]
  • Simple fool proof
  • one time configure ( still requires routs and fwpolicies )
  • ease of management ( configure it once and forget about it )[/ul]

     

    CON

     

    [ul]
  • Statistics  will not show you if one local/remote subnet traffic selector has problems
  • not compatible with certain firewall or VirtDC vpns ( juniper and panos supports it but  ciscoASA, and most linux of  BSD solutions don't )
  • probably not benetficial in a hub-to-spoke sets  &  at the spokes
  • No means to set IPSEC-SA key life for specific local/remote-subnets if you want or need  less or more key life renewals
  • if you are a fan of fortinet and drink the kook-aid they recommend   specific src/dst-nets in the BCP in a "dialup"vpn
  • any traffic can bring up a tunnel regardless if it correct or a mistake ( no control on what can bring a IPSEC-SA tunnel up )
  • if you monitor or like to monitor SPIs and for specific unique traffic pairs you can loose that visibility with quad 0s[/ul]

     

     

     

    YMMV

     

  • PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    emnoc
    Esteemed Contributor III

    and to add one more critical and easily overlooked

     

    If you use  quad Zeros, and no PFS, than any key material from  the IKE and IPSEC-SAs can compromise ALL traffic carried by just the single IPSEC SA, at least with multiple  IPSEC-SA ( aka phase2-interfaces ) you have some better means for protection single a hijacker would need to hack  each IPSEC-SA independently

     

    FWIW: We should always use   PFS when support by  both vpn-peers imho

     

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    FortiOSman
    New Contributor III

    Thanks for the input. 

    Labels
    Top Kudoed Authors