Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jd653687
New Contributor III

Disable to Connect to VPN from local LAN IPSec L2TP

We have the following: we created a IPSec L2TP VPN and on de client computers we created a scheduled task so when the work from home they automatic get this VPN Connection.

But when they work in the office this VPN is not nessesary but in some cases it is created anyway,

I tried the following: Technical Note: Restricting IPs to connect to a VP... - Fortinet Community

This seems to work for one customer but another customer who is using SDWan it doesn't work. Tried to add Wan1 an Wan2 as interface but some of the clients still creates the VPN connection when they are in the office

Running fortiOS:v6.2.15 build1378 (GA)

Question is what is the best way to block VPN connections from the internal network to the Fortigate?

1 Solution
jd653687
New Contributor III

Created de following:

config firewall local-in-policy

  edit 1

     set intf "port1"

     set scraddr "DHCP-Range"

     set dstaddr "all"

     set service "IKE" ËSP" "L2TP"

     set schedule "always"

     set action deny

     set status enable

   next

end

Created address ip range DHCP-Range

Now there are no longer VPN's created from the insite to the fortigate.

View solution in original post

4 REPLIES 4
jd653687
New Contributor III

Just saw that the solluction to block IKE within the local-in-policy doesn't work. So I need a sollution for deny access to de fortigate from the internal network.

jd653687
New Contributor III

Added L2TP and ESP to the source address,

For now no connections, but need to wait until next week if this was the sollution

ezhupa
Staff
Staff

Hello jd653687,
Best way to block any sort of traffic to the FGT would be with local-in policies.
Below you can find a documentation that explain how to configure them.
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/363127/local-in-policy
Obviously you would need to make changes on the configuration depending on your scenario and what services are you trying to block. 

 

Hope this helps.

jd653687
New Contributor III

Created de following:

config firewall local-in-policy

  edit 1

     set intf "port1"

     set scraddr "DHCP-Range"

     set dstaddr "all"

     set service "IKE" ËSP" "L2TP"

     set schedule "always"

     set action deny

     set status enable

   next

end

Created address ip range DHCP-Range

Now there are no longer VPN's created from the insite to the fortigate.

Top Kudoed Authors