Hi there!
I heard somewhere that when setting up IPsec tunneling between two FortiGates, in the Phase 2 selector
Instead of adding individual VLANs (In my case I have two)
they are added like this:
Local: 10.200.80.0/255.255.255.0
Remote: 192.168.1.0/255.255.255.0
That I should use 0.0.0.0/0.0.0.0 instead? and does that mean I only need to create 1 entry (Right now I got one for each VLAN)
Or what would be best practise? 
Thanks!
Hi. Those are the two common styles of creating ipsec tunnels.
The down side with the first style, specifying the networks in P2 is that you need to be very sure that both ends, yours and the other side, has them exactly the same way. And if new networks needs to be added, then both sides need to communicate to have new similar Phase 2 selectors.
On the second style, it’s the opposite. The 0.0.0.0/0.0.0.0 tunnel basicly makes it possible to put any networks in the tunnel without the need to touch P2 settings. All you need is a route to point network destination towards the tunnel interface and a policy to allow the traffic. So it will be similar experience as to having a normal routed interface on a firewall. I warmly recommend using the 0.0.0.0/0.0.0.0 option if the opposite firewall and the network person supports it. As it needs to be configured that way on both ends. Implementation is easy (just one P2 with 0.0.0.0/0.0.0.0) and making any routing changes will be a lot easier in the future.
THank you everyone!! 
I use 0.0.0.0/0.0.0.0 everywhere I can, and basically view P2 proposals as generally unnecessary network filters.
Hi there!
Thanks for the input. I think I’d prefer Second style then
Question again.
In the Phase 2 proposal,
I suppose I do need to do at least one Phase 2.
Would the local address be 0.0.0.0/0.0.0.0 and the same with the remote address. Or how would I configure second style?
It’s going to be a FortiGate 100F in both ends (Brand new both of them)
Yes. 0.0.0.0/0.0.0.0 as local and remote. The other side will do the same. Other settings are done normally and agreed with both sides. Ecryptioning etc. The term for this style is Route-Based VPN.
The 0.0.0.0/0.0.0.0 option is mentioned here (would be nice they added some examples)
And here you can see an example picture of the setting being used
Then you just need to add a route to tell the firewall that the destination network, for example 10.10.10.0/24 is found in that tunnel interface direction. In the route you you normally have to add next hop IP named “Gateway”, but in these case you put “0.0.0.0” as a gateway.
Like this:
This will tell the firewall “spit all traffic destined to that network into this ipsec tunnel, the other side will handle the routing from there”. And then just a policy to permit the traffic.
And similar setup needs to be done on the other side as well. So they know where to push the return traffic.
Usually it’s a good idea to use NAT pools to hide the real network from the opposite side. But this is more needed if the IPSEC tunnel is between different companies and there is a possibility that their internal networks could overlap. Then you just agree that “ok, I’ll nat my traffic to come from pool, lets say 192.168.10.0/24 and you can NAT yours to 192.168.20.0/24” The real clients are coming from the 10.10.10.0/24 network but the opposite will never see those, and they are happy because they happen to have identical network at their side, and that would cause issues.
A wall of text. Hopefully I managed to explain this without being too confusing. When I start, it’s hard to stop.
Hey man! I think it makes sense. Thank you so much! I will test this out
The next thing I was worried about was the static route, because In my firewall I have configured them:
Main one: 0.0.0.0/0 -> WAN IP → Interface (WAN)
However, in the IPsec tunnel I added a static route
192.168.0.0/24 -> IPsec tunnel (I set administrative distance lower than WAN) , not really sure if it impacts the traffic.
So in this new scenario, I would add a static route
I only get the option to add Destination Subnet and then add an Interface (my ipsec tunnel)
However, if I use 0.0.0.0/0.0.0.0 that would interfere with my WAN.
Wouldn’t I just use the network on the other side?
Hope that makes sense!
And thank you for the tip with the NATTING, I’ll look into that, I might actually need that at some point
The static route has the subnets you want to route into the VPN tunnel, so they are the actual remote subnets.
Always happy to help.
0.0.0.0/0.0.0.0 is not used as a destination in the IPSEC routes so we wont cause any issues to your default route. We route specific networks only. We use 0.0.0.0 in the Gateway-field that is same as “next hop”, not in the Destination field.
Your default route:
Destination: 0.0.0.0/0.0.0.0
Gateway: Your internet provider IP most likely
Device: WAN interface
The VPN route:
Destination: 192.168.0.0/24
Gateway: 0.0.0.0
Device: tunnel interface
As you can see. The 0.0.0.0 is not used as destination but as a gateway address. To tell to the opposite side “we don’t know the next hop for this traffic, route it as you see fit”. To opposite firewall will get the packet, without it being routed to any specific IP, reads the destination address and then checks its own route tables to figure out where to forward the packet internally.