New Member

Question

IPSEC Policy base rules

Forum|Forum|8 years ago
June 6, 2018
2 replies
6510 views

I have successfully set up an IPSEC tunnel using policy base as the other end doesn't support interface mode. I have created a simple rule:

config firewall policy

edit 8

set name "IPSEC to H2"

set uuid c5b4e622-67a8-51e8-f7ef-f1a2eec092f6

set srcintf "v31"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "192.168.0.0 [DMZ_H2]" "192.168.1.0 [INTERNAL_H2]"

set action ipsec

set schedule "always"

set service "ALL"

set logtraffic all

set inbound enable

set vpntunnel "h2"

Is there a way to block certain incoming traffic from the ipsec? If I try to make a rule on the wan1 to v31 it does not seem to block.

config firewall policy

edit 10

set name "Block Nas3"

set uuid ae7c2586-6831-51e8-e4d9-5440e79dcb5d

set srcintf "wan1"

set dstintf "v31"

set srcaddr "192.168.0.0 [DMZ_H2]" "192.168.1.0 [INTERNAL_H2]" "Comcast H2"

set dstaddr "192.168.31.10 [Nas3]"

set schedule "always"

set service "ALL"

set logtraffic all

Trying to block a nas file server from the remote site. There doesn't seem to be a way to do this with it in policy mode. I do not see a way to set a policy to say from remote site to local block. Interface mode would be easy but my other side does not support interface mode.

Toshi_Esumi

SuperUser

I'm not sure why the additional specific blocking policy doesn't work as long as it's placed above/before the allowing policy. But interface mode/policy mode is only locally significant. You should be able to connect interface mode ipsec configured on local side to the remote side that has policy mode IPsec configured.

ericli_FTNT

Staff

The policy number "8" doesn't mean it's checked before "10".

To ensure the sequence of the policies, can change the order on GUI or execute command "move 10 before 8" on CLI.

crh1Author

New Member

Hmm my deny policy is above my accept policy. Here is a screen shot from the GUI:

(I opened it in by sequence view just in case).

I think my issue is the return rules are should those be set? I have no option to say ipsec and deny. My best guess was to say it was incoming from my wan and leaving my v31 interface. Then I specified the source IP's (I threw in the remote public IP just in case) but still no luck.

As for interface mode. How would that be configured? Normally when I've seen interface mode the phase2 is set to 0.0.0.0 - 0.0.0.0 where right now in policy mode I have 2 configured one as 192.168.31.0/24 192.168.1.0/24 and 192.168.31.0/24 - 192.168.0.0/24. Same on the remote side.

rules.JPG

ericli_FTNT

Staff

Okay, if you want to identify which policy allow the unwanted traffic to pass, you can try to check the session info or debug flow.

try:

diag sys session filter clear

diag sys session filter dst 192.168.31.10

diag sys session filter dintf v31

diag sys session list | grep policy_id

or,

diag debug en

diag debug flow filter daddr 192.168.31.10

diag debug flow trace start 3

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded