|
When configuring a site-to-site VPN between a FortiGate and another vendor's VPN gateway, it is necessary to only configure one (1) subnet per Phase 2 tunnel.
Although, the FortiGate can associate multiple subnets (aka 'proxy IDs') with a single phase 2 SA, most other vendors do not support this.
Also, some vendors will not support an IP range as a selector/proxyID.
Be sure to define the firewall address as a subnet not a range.
Symptoms.
- Only 1 subnet will be able to send traffic across the tunnel.
- The 3rd party VPN gateway may complain about 'invalid/unsupported proxy ID'.
Solution
To ensure that the FortiGate uses a separate SA for each subsequent subnet:
1) Define a separate Phase 2 tunnel for each subnet.
2) In the second encrypt firewall policy, reference the new Phase 2 tunnel.
For example:
Subnet A & B --- FGT ---------------- VPN GW ----- Subnet C
Subnet A >> Subnet C ENCRYPT -- using Phase 2 tunnel #1
Subnet B >> Subnet C ENCRYPT -- using Phase 2 tunnel #2
Example.
IPsec VPN between Fortigate and Cisco PiX firewall.
- Several subnets (or individual hosts) are hosted behind the PiX and/or FortiGate (eg. 10.0.0.1/32 and 10.0.0.2/32 behind the FortiGate, and 192.168.1.0/24 and 192.168.2.0/24 behind the PiX).
- Remote subnets (or hosts) are defined in the Fortigate as an Address Group (192.168.1.0/24 and 192.168.2.0/24).
As the PiX firewall creates one SA (security association) per access-list entry and the FortiGate unit creates one SA per phase-2, the FortiGate must have a separate phase-2 entry for each access-list line in the PiX config (see below).
access-list ipsec_vpn permit ip 192.168.1.0 255.255.255.0 host 10.0.0.1
access-list ipsec_vpn permit ip 192.168.2.0 255.255.255.0 host 10.0.0.2
In this example, the FortiGate will be configured with two Firewall Policies, each one using a unique Phase 2, and each one pointing to the respective remote destination network.
The Address Group with the combined remote networks will not be used.
|
