Technical Note: Restricting IPs to connect to a VPN IPsec
Description
Solution
This article explains how to restrict remote IPs that can negotiate a VPN IPsec connection.
Solution
In the following diagram, Firewall IPv4 Policies cannot block this kind of traffic since the traffic destination is the FortiGate itself and the traffic is not passing through.
A “Local-in Policy” must be configured to for IKE traffic.
A “Local-in Policy” must be configured to for IKE traffic.
config firewall local-in-policy
edit 2
set ha-mgmt-intf-only disable
set intf "wan1"
set srcaddr "192.168.157.78_HOST"
set dstaddr "all"
set action deny
set service IKE
set schedule "always"
set auto-asic-offload enable
set status enable
next
end
config firewall address
edit "192.168.157.78_HOST"
set subnet 192.168.157.78 255.255.255.255
next
end