Hello,
how can one aggregate many IKEv1 and IKEv2 dial-in peers in one Firewall policy ruleset?
I have approx. 80 IPSec dial-in tunnels defined. Each of which would need an own firewall rule to access the IP-Pool "IPSecClient_IP-range" which is dedicated to IKE-Config mode. See sample below:
config firewall policy
edit NN
set name "IPSec Client"
set uuid 3da34a02-nnn-nnn-8f09-f6ef3d7ennnn
set srcintf "IPSec Tunnel Client"
set dstintf "INTRANET"
set action accept
set srcaddr "IPSecClient_IP-range"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end
Is there an opportunity to create such a rule for a number of IPSec clients?
Or do You have an idea to bulk create the necessary rulesets?
best regards
Martin Haneke
Solved! Go to Solution.
Hello Martin,
If you want to add multiple source interfaces in the policy then you can use following:
Hi, Martin!
To combine multiple IKEv1 and IKEv2 peer networks into a single set of firewall policy rules, you can use address or object groups in your firewall. Instead of creating a separate rule for each IPSec remote access tunnel, you can create one general rule and define an address or object group that includes IP pools for all IPSec clients.
Wouldn't a zone work for this purpose as well?
Toshi
Uh-oh, just be aware that "multiple interface policy" is opening Pandora's box if you are not very, very careful.
Imagine you allow this, and create an access policy to some internal resource.
Now, months later, you create an additional VPN. Traffic from this (unrelated) interface will automatically be included in this policy. This is called a side-effect, with potential to create a security breach.
Besides, you will lose the "interface pair" view in the policy table. Annoying at first, troublesome when the table grows later.
Try to go with a zone, a container for interfaces which can only be used in policies. That should do the trick.
Besides, I think you could set up your dial-in VPN such that many users could share the same VPN. Issue a unique PSK and username to each user, and differentiate access rules by adding user groups in the policies. Who wants to handle 80 dial-in VPNs?
Hello Martin,
If you want to add multiple source interfaces in the policy then you can use following:
Hello @akumar02
thank You for quickly answering my question!
best regards
Martin Haneke
Hi, Martin!
To combine multiple IKEv1 and IKEv2 peer networks into a single set of firewall policy rules, you can use address or object groups in your firewall. Instead of creating a separate rule for each IPSec remote access tunnel, you can create one general rule and define an address or object group that includes IP pools for all IPSec clients.
Hello@CatInHat
thank You for Your reply. The solution was, to activate multiple source interfaces first by
Wouldn't a zone work for this purpose as well?
Toshi
Uh-oh, just be aware that "multiple interface policy" is opening Pandora's box if you are not very, very careful.
Imagine you allow this, and create an access policy to some internal resource.
Now, months later, you create an additional VPN. Traffic from this (unrelated) interface will automatically be included in this policy. This is called a side-effect, with potential to create a security breach.
Besides, you will lose the "interface pair" view in the policy table. Annoying at first, troublesome when the table grows later.
Try to go with a zone, a container for interfaces which can only be used in policies. That should do the trick.
Besides, I think you could set up your dial-in VPN such that many users could share the same VPN. Issue a unique PSK and username to each user, and differentiate access rules by adding user groups in the policies. Who wants to handle 80 dial-in VPNs?
Hello @ede_pfau ,
thank You for Your valuable hint. After Your detailed explanation I am of Your opinion and hence will change to containers. The 3rd party IKEv1/v2 clients already exist. We will migrate client-by-client to FortiClient. Thus the actual solution only should cover a transition phase.
That is also the reason, why we have so many connections with individual PSK.
best regards
Martin Haneke
Created on 03-24-2024 06:16 AM Edited on 03-24-2024 06:20 AM
I am afraid I have to ask, how to create a zone with IPSec interfaces. When I create a zone, I can only choose physical interfaces, L2T, Site-2-Site, SSL-VPN or NPU. How could a zone built with IPSec dial-in objects?
best regards
Martin Haneke
You're right, doesn't work with dynamic tunnels. That's why I set up one tunnel and add users to it (using XAuth). If you are using a 3rd party IPsec client I'm not sure if XAuth will work though.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.