Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
paradoxum
New Contributor

Allow inbound IPSec connections only from specific Public IPs

Hi,

 

I'm working with a FGT300C running v5.0,build0305 (GA Patch 10).  I'm trying to restrict access to one of the IPSec dialup VPN's on the box to specific source IP's.  I have created a Address Group with the source IP's, associated with the VPN interface.  I then enabled and created local-in policies allowing traffic to the VPN interface from the Address Group and denying all others.  My VPN works fine, but the local-in policy doesn't appear to be working - I can connect to the VPN from any Public IP.  Any idea why?

 

Thanks,

 

Mike

config firewall local-in-policy
 
    edit 1
        set intf "MyVPN"
        set srcaddr "MyVPN_PubIP_Group"
        set dstaddr "all"
        set action accept
        set service "ALL"
        set schedule "always"
    next
    edit 2
        set intf "MyVPN"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        set schedule "always"
    next
end
8 REPLIES 8
rwpatterson
Valued Contributor III

I believe the local in policies are to hit the Fortigate itself, not traffic passing through it. You just need to set those IP addresses in the group as the source addresses for the IPSec tunnel.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

paradoxum

If you mean specifying the source IP group under the IPv4 policy as the source address, I've tried that.  Although it stops access to the destination subnets, it still allows any public IP to connect to the VPN, it just doesn't route the traffic.  I'm looking for a way to reject connections to this particular VPN from any address other than what's whitelisted in the source group.

tanr
Valued Contributor II

What is the interface (intf) you're specifying as your VPN interface?

I believe it needs to be the actual physical interface your vpn interface is on, not the vpn interface object itself.

 

If that works then you'll want to make the accept and deny rules more specific with dstaddr and just the IPSec initialisation services (IKE and NATT I think?).  

 

If that doesn't work, I can go and re-check my own config for this.  Hopefully it is still working!

 

paradoxum
New Contributor

tanr wrote:

What is the interface (intf) you're specifying as your VPN interface?

I believe it needs to be the actual physical interface your vpn interface is on, not the vpn interface object itself.

 

If that works then you'll want to make the accept and deny rules more specific with dstaddr and just the IPSec initialisation services (IKE and NATT I think?).  

 

If that doesn't work, I can go and re-check my own config for this.  Hopefully it is still working!

I am using the VPN interface as intf as per the config.  The trouble with using the physical interface is that will affect all my other VPN's that exist on that interface, some of which need to be accessible from all public IP's.  There has to be a more granular way to address this.  If you have a working config for this, please do share.

tanr
Valued Contributor II

Do all your other VPN's on that interface have distinct IPs?  If so, you could still specify the physical interface as the intf and separate out the VPN's by dstaddr.

 

Other than that I don't really have other suggestions.  The way local-in-policy precedes and precludes standard firewall policies like this is still something I still get tripped on, coming from devices where all these policies were all in one place.

paradoxum
New Contributor

tanr wrote:

Do all your other VPN's on that interface have distinct IPs?  If so, you could still specify the physical interface as the intf and separate out the VPN's by dstaddr.

 

Other than that I don't really have other suggestions.  The way local-in-policy precedes and precludes standard firewall policies like this is still something I still get tripped on, coming from devices where all these policies were all in one place.

No, the other VPN's share the same public IP.  Looks like I might have to open a case with support to solve this one.  Unless a moderator chimes in.  Thanks!

tanr
Valued Contributor II

Hope you find a good way to do this.  Please post what you find out.

paradoxum

I ended up using SSL VPN which works with a source IP Group.  It also allows for the use of a CLI based Linux client, which turned out to be a requirement.