Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhaneke
Contributor

How to aggregate many IKEv1 and IKEv2 dial-in peers in one Firewall policy ruleset?

Hello,

 

how can one aggregate many IKEv1 and IKEv2 dial-in peers in one Firewall policy ruleset?

 

I have approx. 80 IPSec dial-in tunnels defined. Each of which would need an own firewall rule to access the IP-Pool "IPSecClient_IP-range" which is dedicated to IKE-Config mode. See sample below:

 

config firewall policy
edit NN
set name "IPSec Client"
set uuid 3da34a02-nnn-nnn-8f09-f6ef3d7ennnn
set srcintf "IPSec Tunnel Client"
set dstintf "INTRANET"
set action accept
set srcaddr "IPSecClient_IP-range"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end

 

Is there an opportunity to create such a rule for a number of IPSec clients?

Or do You have an idea to bulk create the necessary rulesets?

 

best regards

Martin Haneke

 

 

 

best regards
Martin
best regardsMartin
4 Solutions
akumar02
Staff
Staff

Hello Martin,

If you want to add multiple source interfaces in the policy then you can use following:

 

This feature can be enabled by CLI.
 
config  system  settings
    set  gui-multiple-interface-policy enable
end

It can also be enabled by the GUI by going to System -> Feature, selecting the page, and toggling 'Multiple Interface Policies'.
 Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-multiple-interfaces-on-a-...

Make sure you add the source and destination IP addresses accordingly.
 
Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up

View solution in original post

CatInHat
New Contributor III

Hi, Martin!
To combine multiple IKEv1 and IKEv2 peer networks into a single set of firewall policy rules, you can use address or object groups in your firewall. Instead of creating a separate rule for each IPSec remote access tunnel, you can create one general rule and define an address or object group that includes IP pools for all IPSec clients.

View solution in original post

Toshi_Esumi

Wouldn't a zone work for this purpose as well?

Toshi

View solution in original post

ede_pfau
SuperUser
SuperUser

Uh-oh, just be aware that "multiple interface policy" is opening Pandora's box if you are not very, very careful.

Imagine you allow this, and create an access policy to some internal resource.

Now, months later, you create an additional VPN. Traffic from this (unrelated) interface will automatically be included in this policy. This is called a side-effect, with potential to create a security breach.

Besides, you will lose the "interface pair" view in the policy table. Annoying at first, troublesome when the table grows later.

Try to go with a zone, a container for interfaces which can only be used in policies. That should do the trick.

Besides, I think you could set up your dial-in VPN such that many users could share the same VPN. Issue a unique PSK and username to each user, and differentiate access rules by adding user groups in the policies. Who wants to handle 80 dial-in VPNs?

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
11 REPLIES 11
akumar02
Staff
Staff

Hello Martin,

If you want to add multiple source interfaces in the policy then you can use following:

 

This feature can be enabled by CLI.
 
config  system  settings
    set  gui-multiple-interface-policy enable
end

It can also be enabled by the GUI by going to System -> Feature, selecting the page, and toggling 'Multiple Interface Policies'.
 Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-multiple-interfaces-on-a-...

Make sure you add the source and destination IP addresses accordingly.
 
Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up
mhaneke

Hello @akumar02 

 

thank You for quickly answering my question!

 

best regards

Martin Haneke

best regards
Martin
best regardsMartin
CatInHat
New Contributor III

Hi, Martin!
To combine multiple IKEv1 and IKEv2 peer networks into a single set of firewall policy rules, you can use address or object groups in your firewall. Instead of creating a separate rule for each IPSec remote access tunnel, you can create one general rule and define an address or object group that includes IP pools for all IPSec clients.

mhaneke
Contributor

Hello@CatInHat 

 

thank You for Your reply. The solution was, to activate multiple source interfaces first by

 

config  system  settings
    set  gui-multiple-interface-policy enable
end
within the vdom.
best regards
Martin
best regardsMartin
Toshi_Esumi

Wouldn't a zone work for this purpose as well?

Toshi

ede_pfau
SuperUser
SuperUser

Uh-oh, just be aware that "multiple interface policy" is opening Pandora's box if you are not very, very careful.

Imagine you allow this, and create an access policy to some internal resource.

Now, months later, you create an additional VPN. Traffic from this (unrelated) interface will automatically be included in this policy. This is called a side-effect, with potential to create a security breach.

Besides, you will lose the "interface pair" view in the policy table. Annoying at first, troublesome when the table grows later.

Try to go with a zone, a container for interfaces which can only be used in policies. That should do the trick.

Besides, I think you could set up your dial-in VPN such that many users could share the same VPN. Issue a unique PSK and username to each user, and differentiate access rules by adding user groups in the policies. Who wants to handle 80 dial-in VPNs?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
mhaneke

Hello @ede_pfau ,

 

thank You for Your valuable hint. After Your detailed explanation I am of Your opinion and hence will change to containers. The 3rd party IKEv1/v2 clients already exist. We will migrate client-by-client to FortiClient. Thus the actual solution only should cover a transition phase.

That is also the reason, why we have so many connections with individual PSK.

 

best regards

Martin Haneke

best regards
Martin
best regardsMartin
mhaneke

@ede_pfauand @Toshi_Esumi 

 

I am afraid I have to ask, how to create a zone with IPSec interfaces. When I create a zone, I can only choose physical interfaces, L2T, Site-2-Site, SSL-VPN or NPU. How could a zone built with IPSec dial-in objects?

 

best regards

Martin Haneke

best regards
Martin
best regardsMartin
ede_pfau

You're right, doesn't work with dynamic tunnels. That's why I set up one tunnel and add users to it (using XAuth). If you are using a 3rd party IPsec client I'm not sure if XAuth will work though.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors