Fortinet Community

FortiOSman · ‎10-17-2016

Hello,

Is anyone running 0.0.0.0/0.0.0.0 as the source and destination for a P2 selector?

I have a growing list of about 30 P2's that would be much easier to manage if it were just the one wildcard entry. I would still be controlling the traffic on my policies.

Any pros/cons to doing it this way? The unit on the other side of the tunnel is a Fortigate as well.

Thanks

emnoc · ‎10-17-2016

yes and no

PRO

[ul]

Simple fool proof

one time configure ( still requires routs and fwpolicies )

ease of management ( configure it once and forget about it )[/ul]

CON

[ul]

Statistics will not show you if one local/remote subnet traffic selector has problems

not compatible with certain firewall or VirtDC vpns ( juniper and panos supports it but ciscoASA, and most linux of BSD solutions don't )

probably not benetficial in a hub-to-spoke sets & at the spokes

No means to set IPSEC-SA key life for specific local/remote-subnets if you want or need less or more key life renewals

if you are a fan of fortinet and drink the kook-aid they recommend specific src/dst-nets in the BCP in a "dialup"vpn

any traffic can bring up a tunnel regardless if it correct or a mistake ( no control on what can bring a IPSEC-SA tunnel up )

if you monitor or like to monitor SPIs and for specific unique traffic pairs you can loose that visibility with quad 0s[/ul]

YMMV

PCNSE

NSE

StrongSwan

View solution in original post

emnoc · ‎10-17-2016

yes and no

PRO

[ul]

Simple fool proof

one time configure ( still requires routs and fwpolicies )

ease of management ( configure it once and forget about it )[/ul]

CON

[ul]

Statistics will not show you if one local/remote subnet traffic selector has problems

not compatible with certain firewall or VirtDC vpns ( juniper and panos supports it but ciscoASA, and most linux of BSD solutions don't )

probably not benetficial in a hub-to-spoke sets & at the spokes

No means to set IPSEC-SA key life for specific local/remote-subnets if you want or need less or more key life renewals

if you are a fan of fortinet and drink the kook-aid they recommend specific src/dst-nets in the BCP in a "dialup"vpn

any traffic can bring up a tunnel regardless if it correct or a mistake ( no control on what can bring a IPSEC-SA tunnel up )

if you monitor or like to monitor SPIs and for specific unique traffic pairs you can loose that visibility with quad 0s[/ul]

YMMV

PCNSE

NSE

StrongSwan

emnoc · ‎10-17-2016

and to add one more critical and easily overlooked

If you use quad Zeros, and no PFS, than any key material from the IKE and IPSEC-SAs can compromise ALL traffic carried by just the single IPSEC SA, at least with multiple IPSEC-SA ( aka phase2-interfaces ) you have some better means for protection single a hijacker would need to hack each IPSEC-SA independently

FWIW: We should always use PFS when support by both vpn-peers imho

PCNSE

NSE

StrongSwan

FortiOSman · ‎10-18-2016

Thanks for the input.

Fortinet Community

Wildcard network for IPSEC phase2 selectors