Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Andre_Backs
New Contributor

IPSec as responder only?

Hello my learned friends,

I have a question: is it possible on a Fortigate 200D to set up an IPSec tunnel as a responder only?

As an initiator it seems to go about trying to make a connection so aggressively that it sometimes overwhelmes the responding site.

 

your answers are, as always, highly valuated.

 

André

ABB@ProBiblio Fortigate 200D (slave master)

ABB@ProBiblio Fortigate 200D (slave master)
3 REPLIES 3
emnoc
Esteemed Contributor III

You can set it as a dialup ( no defined peer ). That will get you  as a responder function.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Andre_Backs

> You can set it as a dialup ( no defined peer ). That will get you  as a responder function.

 

Oew, that was scary

I created a single P1 with no P2's and for a moment it seemd that my internet went down as well as most of the IPsec tunnels.

Better not tinker with that in production hours

 

But that raised another question:

In a IKEv1 tunnel you can enter an accepted peer-id but this option disappeares when you select IKEv2

So, how do you make sure that only the peer IP address can connect to this tunnel (other that imposing a firewall rule and using a unique pre-shared key)

 

ABB@ProBiblio Fortigate 200D (slave master)

ABB@ProBiblio Fortigate 200D (slave master)
emnoc
Esteemed Contributor III

1st Setting up a  phase1-interface should not cause any issues

 

 

2nd, in your example your at no more risk if you had a non peer-id acceptance. Think about it, if you set a phase1-interface to a static-vpn peer, they would need to know the PSK

 

Same if it was a peer-id acceptance they still have a PSK+peer-id ( FQDN ipv4address etc.....)

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors