Skip to main content
ahmadking22
ahmadking22
Explorer II
December 7, 2024
Solved

restrict IPSec VPN access from certain countries

  • December 7, 2024
  • 2 replies
  • 3833 views

hello

I need to restrict IPSEC VPN 

I need to connect only from UAE if anyone try to connect from outside UAE he ca not

thanks

Best answer by dingjerry_FTNT

1) In FGT GUI, create one address object as below:

dingjerry_FTNT_0-1733562661291.png

2) There is one pre-defined service object called "IKE";

 

3) Configure two local-in policies as below:

 

config firewall local-in-policy
edit 1
set intf "internal"  <-------------   This is the interface bound to your IPSec VPN
set srcaddr "UAE"
set dstaddr "all"  <-------   This can be your IPSec VPN local gateway IP (the IP assigned to the interface bound to your IPSec VPN)
set action accept
set service "IKE"
set schedule "always"
next
edit 2
set intf "internal1"    <-----  The interface bound to your IPSec VPN
set srcaddr "all"
set dstaddr "all"    <---- This could be your IPSec VPN local gateway IP
set service "IKE"
set schedule "always"
next
end

 

NOTE: For policy 2, the action is Deny.

 

2 replies

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
December 7, 2024

Hi @ahmadking22 ,

 

You may use the Local-in policy to restrict UAE country as the source only to access IPSec VPN ports 500 & 4500.

 

You have to configure the Local-in policy via CLI.

ahmadking22
ahmadking22Author
Explorer II
December 7, 2024

please can you tell me exactly what I need to do this

 

 

dingjerry_FTNT
Staff
dingjerry_FTNTAnswer
Staff
December 7, 2024

1) In FGT GUI, create one address object as below:

dingjerry_FTNT_0-1733562661291.png

2) There is one pre-defined service object called "IKE";

 

3) Configure two local-in policies as below:

 

config firewall local-in-policy
edit 1
set intf "internal"  <-------------   This is the interface bound to your IPSec VPN
set srcaddr "UAE"
set dstaddr "all"  <-------   This can be your IPSec VPN local gateway IP (the IP assigned to the interface bound to your IPSec VPN)
set action accept
set service "IKE"
set schedule "always"
next
edit 2
set intf "internal1"    <-----  The interface bound to your IPSec VPN
set srcaddr "all"
set dstaddr "all"    <---- This could be your IPSec VPN local gateway IP
set service "IKE"
set schedule "always"
next
end

 

NOTE: For policy 2, the action is Deny.

 

Jatin_Purohit
Jatin_Purohit
New Member
December 7, 2024

This is very much feasible via local in policy through CLI on FG or through GUI via FMG. We can create Geo location address group for source address, so in future if you need to allow additional country , you just need to include in group.

Terms & ConditionsAccessibility statement