Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rvillaroman
Staff
Staff

Created on ‎10-26-2023 10:23 PM Edited on ‎11-15-2024 06:29 AM By Moderator

Article Id 281185

Technical Tip: How to block unauthorized connections to IPsec VPN

Description

This article describes how to block unauthorized connections to IPsec VPN.

 

In some cases, there are unauthorized IPsec VPN connection attempts.

By default, they are all blocked by the firewall, but it might be an eyesore to see multiple phase1 negotiation errors on the VPN events, as some of the errors might be negotiation errors for a legitimate VPN connection.

 

In this example the unauthorized remote IP is 192.168.88.152:

 

rvillaroman_0-1698356870027.png
Scope FortiGate.
Solution
  1. Create a local-in policy to block IKE services from the list of unauthorized IPs. However, creating an address object for each IP might be a tedious task, and it might be tiresome if there are a bunch of attempts from multiple different IPs.

 

rvillaroman_1-1698356887919.png

 

If there is only a list of specific IPs to connect to the IPsec VPN, which in this case is an IPsec site-to-site VPN with a static remote gateway, it is possible to allow only the remote gateway IP and deny all IKE packets with the use of a local-in policy.

 

  1. Create an address object and address group for the allowed IPsec remote gateway.

 

rvillaroman_2-1698356887922.png

 

  1. If there are multiple IPsec VPN connections create an address object for each remote gateway IP and add it to the address group.

 

rvillaroman_3-1698356887923.png

 

  1. Create a service for IKE for UDP port 500 and 4500.

 

rvillaroman_4-1698356887926.png

 

  1. Apply the IKE service and the newly formed address group to a local-in policy.

     

rvillaroman_5-1698356887928.png

 

The output after creating the local policy to allow only authorized remote gateways. Unauthorized IP is no longer able to negotiate and is no longer present on the VPN event logs.

 

rvillaroman_6-1698356887936.png

 

Note:

This is not applicable for dial-up IPsec VPN peers, as their IP might change and be blocked by the local-in policy.

 

Allowing specific IPs to still have access but block all the other IPs.

Local-in policy, by default, does not have an implicit deny rule like an IPv4 policy. To allow certain IPs to still access the IKE port 500.  Either use option, 'addr-negate enable' (NOT condition is applied here), and then by default action would be 'deny'. Or create an implicit deny rule and have action as 'allow' above the implicit deny to achieve limited accessibility.

 

image.png
5050
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.