Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Homan
New Contributor II

Created on ‎07-07-2023 12:56 AM

site-to-site tunnel with multiple subnets

Hello Everyone,

According to article 197368 "Technical Tip: How to configure VPN for multiple subnets "
It is necessary to only configure one (1) subnet per Phase 2 tunnel..

In my case that becomes very difficult because I have tunnels with more than 20 subnets (source as destination).
I wonder if Is it possible to use "Named Address" objects with multiple subnets as members?

 

Kind regrads,

Homan

Labels:
1393
0 Kudos
11 REPLIES 11
abarushka
Staff
Staff

Created on ‎07-07-2023 03:37 AM

Hello Homan,

 

You may consider to use address group (local address and remote address) in phase 2 configuration:

 

https://docs.fortinet.com/document/fortigate-6000/5.6.12/fortigate-6000-handbook/202963/adding-sourc...

FortiGate
1229
0 Kudos
Homan
New Contributor II
In response to abarushka

Created on ‎07-07-2023 04:42 AM

Hello abarushka,
Thank you for the reply.
I will try it.
Kind regards,
Homan

1218
Homan
New Contributor II
In response to Homan

Created on ‎09-19-2023 01:11 AM

Hello,

Here I am again. That took a while, but we tested the named address option instead of separate subnets. That works perfectly.

But everywhere we have a named address with multiple subnets we see a down entry on phase 2 selector.
An SA entry is made for each subnet, but there is also a SA entry for all subnets in the named address. The SA entry with with all subnets is down in the phase2 selector.

Is this a normal behavior?

 

image2.png

 

kind regards,

Homan

 

865
0 Kudos
sw2090
Honored Contributor

Created on ‎07-07-2023 04:07 AM

you could also set the p2 selector to 0.0.0.0/0.0.0.0 and do the rest with routing and policies.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
1225
Homan
New Contributor II
In response to sw2090

Created on ‎07-07-2023 04:48 AM

Hello sw2090,
Thank you for the reply.
Yes it is possible but because of company policy I am not allowed to use 0.0.0.0/0.0.0.0 for my VPN connections.


Kind regards,
Homan

1216
0 Kudos
sw2090
Honored Contributor

Created on ‎07-07-2023 06:10 AM

well the you could either do one p2 selector per subnet or do one p2 selector and use an address-group in there.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
1205
parteeksharma
Staff
Staff

Created on ‎07-08-2023 03:23 AM

Hi Homan,
You can use address-group in the phase2 selectors config and create the policies and routes for interesting traffic to flow through the IPsec vpn.

Regards,
Parteek

1193
0 Kudos
Homan
New Contributor II
In response to parteeksharma

Created on ‎07-11-2023 12:25 AM

Hello parteksharma
thanks for your reply.
I will test with address-group next week.

Kind regrads,

Homan

1150
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎07-09-2023 05:03 AM

Just a hint: if you use an address group, you could use the same address group both in the policy and in a static route pointing to the tunnel. As a prerequisite, each address must be marked as "routeable". If all addresses are routeable, then the address group is as well.

If the option to make an address routeable is greyed out, add it in CLI:

set allow-routing enable

Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
1174
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.