This article describes how to allow IPsec VPN port 4500,500 and ESP protocol access to specific IP addresses only.

For Instance:

IPsec VPN site to site with the remote peer of 10.10.10.1 which opened IKE port 500, NAT-T port 4500, and protocol ESP to all IPs on the Internet.

It will be limited to 10.10.10.1 only.

Port group can be configured from the physical interface under the Network --> Interfaces section:

• Create a firewall address object for the remote peer if not already created:

config firewall address

    edit "RemotePeer1"

        set comment "Remote peer for VPN"

        set subnet 10.10.10.1 255.255.255.255

    next

end

• Create the local in policy to allow IKE and ESP from this peer on port1 (WAN interface) with deny policy first:

config firewall local-in-policy

    edit 1

        set intf "LAN(port1)"

        set srcaddr "RemotePeer1"
        set srcaddr-negate enable

        set dstaddr "all"
        set action deny

        set service "IKE" "ESP"

        set schedule "always"

    next

    edit 2

        set intf "LAN(port1)"

        set srcaddr "RemotePeer1"

        set dstaddr "all"

        set action accept

        set service "IKE" "ESP" <----- 'IKE' (includes ports 500 and 4500).

        set schedule "always"

    next

end

• These policies are also traversed from top to bottom, the IKE and ESP protocols will be denied from any source that is not part of 'RemotePeer1', and the sources under 'RemotePeer1' will be able to connect

The FortiGate will only answer to this remote peer 10.10.10.1 on port 500 UDP for IKE, port 4500 for NAT Traversal, and to protocol ESP on Phase2 VPN.

Note:

Local-in policy is the policy guarding/protecting the FortiGate, i.e., it filters/restricts access when the destination is one of the FortiGate interfaces and its IPs.

It is visible in the GUI by default starting with FortiOS 7.6.x, but in older versions, go to System → Feature Visibility → Local-in Policy to make it so.

Starting from FortiOS v7.6.0 local-in policy can be configured and edited via GUI: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI

Additionally, the GUI displays only default rules, created automatically by the FortiGate when appropriate services are enabled.

GUI will not show any rules configured on CLI and thus may confuse vy thinking CLI-configured rules do not work. It is recommended to work on CLI from the beginning.

There are separate, IPv4 and IPv6, local-in policies. The default action in rules is denied, so when no action is visible in the show output, it means the action is denied.

Virtual IPs (VIPs) override Local-in policies:

By default, Local-in policy hits are not logged, it is necessary to set in Log Settings → Log All for denied packets to be logged.

The logs are in the Local Traffic section.

It is possible to use Workspace Mode to prevent mistakenly locking out when changing the Local-in policy.