Helpful Replyvpn tunnel: only 1 ip reachable in address group

Author
dhafer
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/06/10 01:11:37
  • Status: offline
2021/06/10 01:50:45 (permalink) 6.2
0

vpn tunnel: only 1 ip reachable in address group

Hi
 
I have established a vpn ipsec tunnel between fortigate and a third party's cisco ftd (phase2 remote address 192.168.10.1/32), worked as expected.
This week I tried to add a new remote address to the vpn 192.168.10.15/32 so I changed the remote address in phase1 to point to a group of address (192.168.10.1/32 & 192.168.10.15/32), also added that group to static route and fw rules instead of the old address (192.168.10.1/32).
 
The problem is only one of these ip address is reachable at a time, I can ping 192.168.10.1 but I can't ping the other 192.168.10.15, but if a the remote 192.168.10.15 ping me it becomes reachable from my side for some time.
 
How can I have this 2 ip reachable at the same time through vpn ?
 
vpn tunnel config 
config vpn ipsec phase1-interface
edit "MY_VPN"
set type static
set interface "port1"
set ip-version 4
set ike-version 1
set local-gw <...>
set keylife 28800
set authmethod psk
set mode main
set peertype any
set net-device disable
set passive-mode disable
set exchange-interface-ip disable
set aggregate-member disable
set mode-cfg disable
set proposal aes256-sha1
set localid ''
set localid-type auto
set auto-negotiate enable
set negotiate-timeout 30
set fragmentation enable
set ip-fragmentation post-encapsulation
set dpd on-demand
set forticlient-enforcement disable
set comments ''
set dhgrp 2
set suite-b disable
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set encapsulation none
set nattraversal disable
set esn disable
set rekey enable
set fec-egress disable
set fec-ingress disable
set remote-gw <...>
set monitor ''
set tunnel-search selectors
set add-gw-route disable
set psksecret ENC <...>
set dpd-retrycount 3
set dpd-retryinterval 20
next
end
config vpn ipsec phase2-interface
edit "MY_VPN"
set phase1name "MY_VPN"
set proposal aes256-sha1
set pfs disable
set ipv4-df disable
set replay enable
set auto-negotiate enable
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation tunnel-mode
set comments ''
set protocol 0
set src-addr-type name
set src-port 0
set dst-addr-type name
set dst-port 0
set keylifeseconds 3600
set src-name "MY_LOCAL"
set dst-name "MY_VPN_remote"
next
end
#1
Toshi Esumi
Expert Member
  • Total Posts : 2596
  • Scores: 255
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: vpn tunnel: only 1 ip reachable in address group 2021/06/10 09:35:10 (permalink) ☄ Helpfulby dhafer 2021/06/11 01:13:50
0
When you add a new network to either source or destination, you need to add a new phase2-interface config. So if the original is "MY_LOCAL"<->192.168.10.1/32, the secone one for "MY_LOCAL"<->192.168.10.15/32.
But I wouldn't set phase2 for each host (/32), but use a larger subnet like 192.168.10.0/24 so that you need only one phase2.
#2
dhafer
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/06/10 01:11:37
  • Status: offline
Re: vpn tunnel: only 1 ip reachable in address group 2021/06/11 01:13:37 (permalink)
0
I tried the subnet method the first time but I had the same problem, now I've setup each one a phase2.
#3
emnoc
Expert Member
  • Total Posts : 6137
  • Scores: 422
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: vpn tunnel: only 1 ip reachable in address group 2021/06/11 06:36:35 (permalink)
0
FWIW you have to match what is expected by the remote device. Are they expecting a /24 or 2x /32s?
 
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#4
Jump to:
© 2021 APG vNext Commercial Version 5.5