Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
New Contributor

Native vpn restrict source IP

Hi,

I need to configure remote native vpn access using l2tp ipsec for a customer, is any way to restrict this connection only from customer public ip address? How to do this?

6 REPLIES 6
jintrah_FTNT
Staff
Staff

Hi,

 

Yes, you can create local in policy to allow l2tp service from customers public ip. Please see Technical Note: Filter ingress traffic going to th... - Fortinet Community

 

Best regards,

Jin

seshuganesh
Staff
Staff

Hi Team,

 

L2TP will use 1701 port and PPTP will use 1723 port for the connection.

You can create service object for both ports and create two local in policies in the firewall:

1. First policy on top is to allow the traffic for specific user machine.

2. Second policy is to block L2TP for rest of the machines.

You can use this article for the reference:

https://docs.fortinet.com/document/fortigate/6.2.10/cookbook/363127/local-in-policies

https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/245620/firewall-local-in-policy

Please test and keep us posted

Tutek
New Contributor

But if I go to Local In Policy menu I have here configured two settings with UD 500 and 4500 Port from any source, so this mean any manually created local-in-policy in cli will have higher privileges than those built in?

seshuganesh

@Tutek Initial traffic will go to 1723  or 1701, you configure local in policy manually in cli.

Your requirement to block  the connection from all ip and accepting connection from only one ip should be acheieved 

sw2090
Honored Contributor

UDP 500 is IPsec and 4500 is NAT-Traversal. Not sure if restricting these would be enough.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Tutek
New Contributor

But these are first ports in IPSEC communication so blocking them are crucial.

My question is rather if I configure manually local-in-policy with "set service ike" whether this setting will have higher permissions over the settings (UDP 500,4500) that are already there, because I have already configured other Ipsec tunnels on router ?