Helpful ReplyHot!IPsec VPN associated interface object ip and remote-ip with multiple phase2?

Author
tanr
Platinum Member
  • Total Posts : 535
  • Scores: 20
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
2018/08/13 15:12:34 (permalink)
0

IPsec VPN associated interface object ip and remote-ip with multiple phase2?

Have two ipsec phase1-interface VPNs between two locations (FortiGate to FortiGate, 5.6.x), each with multiple phase2s.  All works fine, and branch fortigate logs to our central FortiAnalyzer over the VPN.
 
Setting up Security Fabric following https://cookbook.fortinet.com/security-fabric-over-ipsec-vpn-56/ it specifies changing the interface object (config system interface) for the phase1 vpn (NOT the vpn ipsec phase1/phase2s) to set its ip and remote-ip to match the local and remote ips of the two fortigates to use for FortiTelemetry between them (upstream FortiGate in Fabric).  These were initially both 0.0.0.0, with the ipsec phase1-interface specifying local-gw and remote-gw, and the multiple phase2-interfaces specifying local and remote subnets.
 
My uneducated questions:
- Will I break my multiple phase2s by specifying a specific ip and remote-ip in the phase1 interface object?
- If the interface ip and remote-ip specified are /32 will this break the associated phase2 that is for a larger subnet?
- Better way to do this?
 
Thanks.
#1
tanr
Platinum Member
  • Total Posts : 535
  • Scores: 20
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: IPsec VPN associated interface object ip and remote-ip with multiple phase2? 2018/08/15 07:35:33 (permalink)
0
I got the downstream FortiGate talking to the upstream FortiGate over IPsec VPN (already had it logging correctly over the VPN) but found that there are some unneeded / confusing sections of the cookbook article (https://cookbook.fortinet.com/security-fabric-over-ipsec-vpn-56/), at least for 5.6.5.
 
  • The tunnel interface ip can't be set to an ip within an existing subnet for any single interface, so it can't part of any existing phase2, or any existing single interface.  Enabling FortiTelemetry on the interface if IPs are 0.0.0.0 doesn't work.  I ended up using new IPs in a new subnet I'll reserve for fabric communication.
  • Since all you need between the two FortiGates is FortiTelemetry, you don't need to create security policies for this, nor do you need to enable Multiple Interface Policies.  I did create the matching phase2's and static routes.
  • The security policy to allow logging from the branch FortiGate to the central FAZ doesn't need to have NAT enabled. [EDIT] Note that I did set the source-ip in config logging fortianalyzer setting though.
Anybody know the best method for reporting corrections to cookbook articles?  Facebook comment on their page?  Open a support ticket?
 
Side Rant: I wish documentation and cookbook articles wouldn't always create their security policy examples allowing ALL services.  It would be much more useful if they could just list the specific services needed for their example.
post edited by tanr - 2018/08/15 11:48:22
#2
ede_pfau
Expert Member
  • Total Posts : 5680
  • Scores: 385
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: IPsec VPN associated interface object ip and remote-ip with multiple phase2? 2018/08/15 08:56:41 (permalink)
0
Anybody know the best method for reporting corrections to cookbook articles?
Either mail to the author, comment the article (if allowed) or send mail to the Documentation staff led by Bill Dickie (bdickie@fortinet.com). I've always got a response from him within a short time.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#3
tanr
Platinum Member
  • Total Posts : 535
  • Scores: 20
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: IPsec VPN associated interface object ip and remote-ip with multiple phase2? 2018/08/15 09:12:11 (permalink)
0
Thanks Ede, I'll pass on the comments to their documentation folk.
#4
emnoc
Expert Member
  • Total Posts : 4988
  • Scores: 306
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: IPsec VPN associated interface object ip and remote-ip with multiple phase2? 2018/08/15 09:42:30 (permalink) ☄ Helpfulby tanr 2018/08/19 10:32:48
0
FWIW the  document teams has a emall post for the  group that manages the documents. It's listed in ALL documents.  techdocs@fortinet.com  . They are pretty much quick to response depending on  how busy the group is or is not.
 
So if you don't use the  online help , but download a pdf you can find the team mail-aliases. Emailing a direct  user might not net an as quick response. The 1st 2-3 pages has all of the email  or links for techdocs in all pdf files.
 
Ken 
 
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#5
ede_pfau
Expert Member
  • Total Posts : 5680
  • Scores: 385
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: IPsec VPN associated interface object ip and remote-ip with multiple phase2? 2018/08/19 09:57:07 (permalink)
0
+1

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#6
Jump to:
© 2018 APG vNext Commercial Version 5.5