i might need some help here as I think there might be some sort of bug.
So I was doing a Interface mode IPSec VPN connection to a Cisco ASA, everything was fine, VPN came up, Policies are set both ways to the Tunnel interface, Static routes are there.
If i try to initiate the connection from my end (Ping from one host to another host on both encryption domains) I see the packets going through the policy, and the other end sees the packet, but the Cisco firewall reports a mismatch of some sort, so the packets are getting encrypted and sent over the tunnel but it stops there.
Now if the connection is initiated from the Cisco side, and then I try that Ping again now everything works, so there isnt any Routing issues or policy issues, otherwise it would not work just by having the Cisco to establish the encryption domain between those specific subnets.
So now the strange part, this VPN is done with a Local and Remote Subnet set on the Phase2 on the VPN config as an Address Group, as there are 4 subnets on each side that need to use the VPN.
Now if I remove the group, and just add 1 subnet from each side by typing the IP address (10.10.10.0/24) as an example on both local and remote section of the Phase2 VPN connection, I send the tunnel down, I bring it back up and it works fine.
SO the problem seems to be I cannot use Group objects, but there isnt any way for me to add 4 different subnets by actually typing the address instead of using and Address object.
No you can add 4x ph2 selectors. Try with the "ip address" 1st and then work to address-group. I seen the exact same issuesin v5.6.3 where fw.addr.obj gave issues but if you set a actually address it works.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.