Hello Everyone,
According to article 197368 "Technical Tip: How to configure VPN for multiple subnets "
It is necessary to only configure one (1) subnet per Phase 2 tunnel..
In my case that becomes very difficult because I have tunnels with more than 20 subnets (source as destination).
I wonder if Is it possible to use "Named Address" objects with multiple subnets as members?
Kind regrads,
Homan
Hello Homan,
You may consider to use address group (local address and remote address) in phase 2 configuration:
Hello abarushka,
Thank you for the reply.
I will try it.
Kind regards,
Homan
Hello,
Here I am again. That took a while, but we tested the named address option instead of separate subnets. That works perfectly.
But everywhere we have a named address with multiple subnets we see a down entry on phase 2 selector.
An SA entry is made for each subnet, but there is also a SA entry for all subnets in the named address. The SA entry with with all subnets is down in the phase2 selector.
Is this a normal behavior?
kind regards,
Homan
you could also set the p2 selector to 0.0.0.0/0.0.0.0 and do the rest with routing and policies.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hello sw2090,
Thank you for the reply.
Yes it is possible but because of company policy I am not allowed to use 0.0.0.0/0.0.0.0 for my VPN connections.
Kind regards,
Homan
well the you could either do one p2 selector per subnet or do one p2 selector and use an address-group in there.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi Homan,
You can use address-group in the phase2 selectors config and create the policies and routes for interesting traffic to flow through the IPsec vpn.
Regards,
Parteek
Hello parteksharma
thanks for your reply.
I will test with address-group next week.
Kind regrads,
Homan
Just a hint: if you use an address group, you could use the same address group both in the policy and in a static route pointing to the tunnel. As a prerequisite, each address must be marked as "routeable". If all addresses are routeable, then the address group is as well.
If the option to make an address routeable is greyed out, add it in CLI:
set allow-routing enable
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.