Skip to main content
nikolaj
nikolaj
New Member
March 24, 2017
Question

inside host VPN connection

  • March 24, 2017
  • 1 reply
  • 2733 views

Hello, 

How would like to know how to configure the policy which permit to an internal host a client-to-site VPN towards a remote VPN terminator.

In particular I would like to know how to fill the source, destination, service and action fields.

thank you.

--

Nicola Venosta

    1 reply

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 24, 2017

    Strange but interesting.

    Assuming you mean "IPsec VPN":

    source IF: internal

    source addr: the PC's IP address

    dest IF: wan

    dest addr: the public IP address of the remote VPN gateway

    service: at least 500/udp and 4500/udp (plus PING as always).

    action: ACCEPT

    NAT: yes (to interface address)

     

    I think you think about the private addresses behind the remote VPN tunnel end. They are not controlled by the policy. That's why using a VPN tunnel is such a great evasion technique.

    Of course, you will see the remote addresses on the LAN segment where they appear to be 'alien'. But the PC which initiated the VPN tunnel knows how to handle these - by using an ad-hoc route to the remote subnet. All other hosts on the LAN cannot communicate with the remote subnet - destination unknown, so traffic to these addresses will be routed out the WAN interface of the FGT.

     

    I hope this helps with the concept.

    Terms & ConditionsAccessibility statement