Skip to main content
paradoxum
paradoxum
New Member
April 18, 2017
Question

Allow inbound IPSec connections only from specific Public IPs

  • April 18, 2017
  • 2 replies
  • 19799 views

Hi,

 

I'm working with a FGT300C running v5.0,build0305 (GA Patch 10).  I'm trying to restrict access to one of the IPSec dialup VPN's on the box to specific source IP's.  I have created a Address Group with the source IP's, associated with the VPN interface.  I then enabled and created local-in policies allowing traffic to the VPN interface from the Address Group and denying all others.  My VPN works fine, but the local-in policy doesn't appear to be working - I can connect to the VPN from any Public IP.  Any idea why?

 

Thanks,

 

Mike

config firewall local-in-policy
 
    edit 1
        set intf "MyVPN"
        set srcaddr "MyVPN_PubIP_Group"
        set dstaddr "all"
        set action accept
        set service "ALL"
        set schedule "always"
    next
    edit 2
        set intf "MyVPN"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        set schedule "always"
    next
end

    2 replies

    rwpatterson
    rwpatterson
    New Member
    April 19, 2017

    I believe the local in policies are to hit the Fortigate itself, not traffic passing through it. You just need to set those IP addresses in the group as the source addresses for the IPSec tunnel.

    paradoxum
    paradoxumAuthor
    New Member
    April 19, 2017

    If you mean specifying the source IP group under the IPv4 policy as the source address, I've tried that.  Although it stops access to the destination subnets, it still allows any public IP to connect to the VPN, it just doesn't route the traffic.  I'm looking for a way to reject connections to this particular VPN from any address other than what's whitelisted in the source group.

    tanr
    tanr
    New Member
    April 19, 2017

    What is the interface (intf) you're specifying as your VPN interface?

    I believe it needs to be the actual physical interface your vpn interface is on, not the vpn interface object itself.

     

    If that works then you'll want to make the accept and deny rules more specific with dstaddr and just the IPSec initialisation services (IKE and NATT I think?).  

     

    If that doesn't work, I can go and re-check my own config for this.  Hopefully it is still working!

     

    pedrodiazfm
    pedrodiazfm
    New Member
    February 12, 2023

    Hi.

    It's an old post but I needed allow the IPSEC traffic only to two IPs and i have done with this configuration.

     

    1. Create a group to Allow IPSEC connections from Public IPs

    My group is called "IPSEC_Allow"

     

    2.Create two policies, one to allow traffic from the group and one to block all the IKE traffic:

     

    config firewall local-in-policy
        edit 1
            set intf "wan1"
            set srcaddr "IPSEC_Allow"
            set dstaddr "all"
            set action accept
            set service "IKE"
            set schedule "always"
        next
        edit 2
            set intf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set service "IKE"
            set schedule "always"
        next
    end

     

     

     

      Terms & ConditionsAccessibility statement