IPSec as responder only?

Forum|Forum|10 years ago
June 9, 2016
1 reply
14039 views

Hello my learned friends,

I have a question: is it possible on a Fortigate 200D to set up an IPSec tunnel as a responder only?

As an initiator it seems to go about trying to make a connection so aggressively that it sometimes overwhelmes the responding site.

your answers are, as always, highly valuated.

André

emnoc

New Member

You can set it as a dialup ( no defined peer ). That will get you as a responder function.

Ken

Andre_BacksAuthor

New Member

> You can set it as a dialup ( no defined peer ). That will get you as a responder function.

Oew, that was scary

I created a single P1 with no P2's and for a moment it seemd that my internet went down as well as most of the IPsec tunnels.

Better not tinker with that in production hours

But that raised another question:

In a IKEv1 tunnel you can enter an accepted peer-id but this option disappeares when you select IKEv2

So, how do you make sure that only the peer IP address can connect to this tunnel (other that imposing a firewall rule and using a unique pre-shared key)

emnoc

New Member

1st Setting up a phase1-interface should not cause any issues

2nd, in your example your at no more risk if you had a non peer-id acceptance. Think about it, if you set a phase1-interface to a static-vpn peer, they would need to know the PSK

Same if it was a peer-id acceptance they still have a PSK+peer-id ( FQDN ipv4address etc.....)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded