Skip to main content
Infrarium
Infrarium
New Member
July 11, 2025
Question

Filter inbound IPSec VPN connections per tunnel

  • July 11, 2025
  • 2 replies
  • 1688 views

Hello everyone,

 

Im curious if there is a way to filter inbound IPSec VPN connections by source address per tunnel on Fortigate. So far i saw that you can do it if you use IKE v2 and select the option "set remote-gw-match", but this only allows any, iprange, ipmask or country. Theres no way i can use an Address Group for this? The reason is that i have people that connect to my Fortigate that have 2 (or more) different outbound public addresses that do not belong to the same IP block, so i cant wrap them on a ip range or ipmask without adding unwanted IP addresses.

 

Thank you in advance!

 

2 replies

AEK
SuperUser
AEK
SuperUser
July 14, 2025

Hi Infrarium

Local-in-policy should help. But it is global, not per tunnel :(

AEK
Infrarium
InfrariumAuthor
New Member
July 14, 2025

I already use that, to filter the source address as much as posible. Unfortunately some people are allowed to connect from any IP address on my country, so that makes the scope on the local-in policy to be broader.

funkylicious
SuperUser
funkylicious
SuperUser
July 14, 2025

just curious about the reasoning of restricting more the access to an ipsec tunnel.

you already have, psk + auth credentials which are required for the user to know in order to connect.

"jack of all trades, master of none"
AEK
SuperUser
AEK
SuperUser
July 14, 2025

Yuri published a nice SSL VPN hardening guide. The idea for you is to create a loopback in order to allow/deny remote sources with a firewall rule.

You can use it for IPsec as well, I believe it should work.

You can start here:

https://yurisk.info/2023/03/21/fortigate-vpn-ssl-hardening-guide/#_move_vpn_ssl_listening_interface_to_a_loopback_interface

Let us know if it works.

AEK
Terms & ConditionsAccessibility statement