Saturday, March 22, 2008

Advanced IPSEC VPNs - Phase 2 Quick Mode Selectors

Most of the time when you create site-to-site VPN tunnels the Phase 2 Quick Mode Selector just doesn't cut it. In FortiOS 2.8 you were able to choose between manually entering source and destination addresses or selecting objects from a drop-down list. This feature is absolutely essential when creating VPNs that contain discontiguous subnets. A good example:
Source subnets: 172.16.1.0/24 and 192.168.1.0/24, destination subnets: 172.16.99.0/24 and 10.1.1.0/24.
In FortiOS 3.0 up to MR6 the drop-down option no longer exists in the GUI. However you can still pop the hood and get at the internals using the CLI. Here's how:

  1. In the GUI define the local and remote subnets for the VPN
  2. Group local and remote subnets into separate address groups (e.g. "encdom-local-remote" and "encdom-remote-local")
  3. On the CLI
  • # config vpn ipsec phase2 (or #config vpn ipsec phase2-interface if you are using interface mode)
  • # set src-addr-type name
  • # set src-name encdom-local-remote (the address group containing your local subnets)
  • # set dst-addr-type name
  • # set dst-name encdom-remote-local (the address group containing the remote subnets)
  • # end
You should end up with the following. Notice that you cannot edit the Quick Mode selectors. You have to unset the advanced options back in the CLI.

6 comments:

Lidofido said...

Hey, just wanted to leave an FYI - if you use addr-type name on src or dst, you have to do it for the other. In other words, you can't have a name on one and a static IP/range/subnet on the other... you need to define a nameset. It will unhelpfully not tell you this until you hit end, at which point it will just bomb out and revert your changes. Lame!

Niranjana said...

The Option 'set src-addr-type name' will let you to enter the group name in the VPN Domain. But his is not always compatiable with the other vendors. Cisco and FGT will not support this option. The Tunnel will be UP but the communication will be possible from ONLY from the first entity of the group from either ends.

Regards,
Niranjana BS

Sebastian said...

Good point. With VPNs to Cisco I typically end up creating one Phase I and multiple Phase 2 configurations.

Anonymous said...

If you try to connect a astaro sophos gateway with more than one subnets and a fortigate with more than one subnet, you have also to create seperate phase2 configurations for every combination.
it does not work with one phase2 and a source group and a destination group.

Toan Trinh said...
This comment has been removed by the author.
Guru Prasad said...
This comment has been removed by a blog administrator.