Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dhafer
New Contributor II

vpn tunnel: only 1 ip reachable in address group

Hi

 

I have established a vpn ipsec tunnel between fortigate and a third party's cisco ftd (phase2 remote address 192.168.10.1/32), worked as expected.

This week I tried to add a new remote address to the vpn 192.168.10.15/32 so I changed the remote address in phase1 to point to a group of address (192.168.10.1/32 & 192.168.10.15/32), also added that group to static route and fw rules instead of the old address (192.168.10.1/32).

 

The problem is only one of these ip address is reachable at a time, I can ping 192.168.10.1 but I can't ping the other 192.168.10.15, but if a the remote 192.168.10.15 ping me it becomes reachable from my side for some time.

 

How can I have this 2 ip reachable at the same time through vpn ?

 

vpn tunnel config 

config vpn ipsec phase1-interface edit "MY_VPN" set type static set interface "port1" set ip-version 4 set ike-version 1 set local-gw <...> set keylife 28800 set authmethod psk set mode main set peertype any set net-device disable set passive-mode disable set exchange-interface-ip disable set aggregate-member disable set mode-cfg disable set proposal aes256-sha1 set localid '' set localid-type auto set auto-negotiate enable set negotiate-timeout 30 set fragmentation enable set ip-fragmentation post-encapsulation set dpd on-demand set forticlient-enforcement disable set comments '' set dhgrp 2 set suite-b disable set wizard-type custom set xauthtype disable set mesh-selector-type disable set idle-timeout disable set ha-sync-esp-seqno enable set auto-discovery-sender disable set auto-discovery-receiver disable set auto-discovery-forwarder disable set encapsulation none set nattraversal disable set esn disable set rekey enable set fec-egress disable set fec-ingress disable set remote-gw <...> set monitor '' set tunnel-search selectors set add-gw-route disable set psksecret ENC <...> set dpd-retrycount 3 set dpd-retryinterval 20 next end config vpn ipsec phase2-interface edit "MY_VPN" set phase1name "MY_VPN" set proposal aes256-sha1 set pfs disable set ipv4-df disable set replay enable set auto-negotiate enable set auto-discovery-sender phase1 set auto-discovery-forwarder phase1 set keylife-type seconds set encapsulation tunnel-mode set comments '' set protocol 0 set src-addr-type name set src-port 0 set dst-addr-type name set dst-port 0 set keylifeseconds 3600 set src-name "MY_LOCAL" set dst-name "MY_VPN_remote" next end

1 Solution
Toshi_Esumi
Esteemed Contributor III

When you add a new network to either source or destination, you need to add a new phase2-interface config. So if the original is "MY_LOCAL"<->192.168.10.1/32, the secone one for "MY_LOCAL"<->192.168.10.15/32.

But I wouldn't set phase2 for each host (/32), but use a larger subnet like 192.168.10.0/24 so that you need only one phase2.

View solution in original post

3 REPLIES 3
Toshi_Esumi
Esteemed Contributor III

When you add a new network to either source or destination, you need to add a new phase2-interface config. So if the original is "MY_LOCAL"<->192.168.10.1/32, the secone one for "MY_LOCAL"<->192.168.10.15/32.

But I wouldn't set phase2 for each host (/32), but use a larger subnet like 192.168.10.0/24 so that you need only one phase2.

dhafer
New Contributor II

I tried the subnet method the first time but I had the same problem, now I've setup each one a phase2.

emnoc
Esteemed Contributor III

FWIW you have to match what is expected by the remote device. Are they expecting a /24 or 2x /32s?

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors