Skip to main content
Xavier_BS
Xavier_BS
New Member
November 11, 2024
Question

incoming IPSec VPN traffic only works with any source interface

  • November 11, 2024
  • 1 reply
  • 2008 views

This is driving me mad.

I have set up an IPSec VPN and want to limit it to a certain set of destinations.

As I have two WAN links up, I'm connected on one and playing with the VPN settings of the other.

I thought I understood how this works, but I'm now utterly baffled.

I'm connecting with the FortiClient. I have my static routes pushed through OK so I can route to the destination network I want.

Now when it comes to policies, I have set up a policy which has from the remote tunnel to the destination but this doesn't work.

If I change the policy so the source interface is "any", it works.

If I then change the policy so the source interface is the Remote Access WAN interface that's set up, it doesn't work, traffic gets dropped and is picked up by the default deny policy at the bottom.

When I have the policy configured so that the source interface is "any" and it works, if I look at the policy logs, I can see the source interface is my RA WAN.

So why doesn't it work when I set it to that interface? Furthermore, if I manually select ALL the interfaces that are up, it still doesn't work! It only lets traffic through when the source is "any".

I'm completely stumped!

1 reply

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
November 11, 2024

What do you exactly mean by "Remote Access WAN Interface"? You're supposed to be using the tunnel interface name like below "Dup2IPsec" as the policy's source interface.
tunintf.png

 

Toshi

Xavier_BS
Xavier_BSAuthor
New Member
November 11, 2024

Yes, I mean the tunnel interface. By default, when using the wizard, it calls them RA_xxx so I just labelled them like that:

 

wan-ra.png

If I have a policy with "all" as the source interface, it works:

wan-ra-ok-all.png

 

But as soon as I change the source interface to be the tunnel one, it no longer hits that policy and falls into the default deny.

wan-ra-nok-tunnel.png

and I can't understand why.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
November 11, 2024

You're using dialup/remote access VPN, right? For that case all user connections to at least the same interface, like WAN1 IP, are just one tunnel interface regardless how many users connects to.


If you want to have a different set of dialup/remote access VPN for different user group on the same WAN1, you have to set it up properly to differentiate two user group's users to connect to the intended one. You may not be able to use the wizard to configure them.
Only in that case you can have separate policy for each tunnel interface but need to have two policies.

Toshi

Terms & ConditionsAccessibility statement