- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to aggregate many IKEv1 and IKEv2 dial-in peers in one Firewall policy ruleset?
Hello,
how can one aggregate many IKEv1 and IKEv2 dial-in peers in one Firewall policy ruleset?
I have approx. 80 IPSec dial-in tunnels defined. Each of which would need an own firewall rule to access the IP-Pool "IPSecClient_IP-range" which is dedicated to IKE-Config mode. See sample below:
config firewall policy
edit NN
set name "IPSec Client"
set uuid 3da34a02-nnn-nnn-8f09-f6ef3d7ennnn
set srcintf "IPSec Tunnel Client"
set dstintf "INTRANET"
set action accept
set srcaddr "IPSecClient_IP-range"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end
Is there an opportunity to create such a rule for a number of IPSec clients?
Or do You have an idea to bulk create the necessary rulesets?
best regards
Martin Haneke
Martin
Solved! Go to Solution.
- Labels:
-
Firewall policy
-
FortiGate
-
IPsec
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Martin,
If you want to add multiple source interfaces in the policy then you can use following:
It can also be enabled by the GUI by going to System -> Feature, selecting the page, and toggling 'Multiple Interface Policies'.
Make sure you add the source and destination IP addresses accordingly.
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Martin!
To combine multiple IKEv1 and IKEv2 peer networks into a single set of firewall policy rules, you can use address or object groups in your firewall. Instead of creating a separate rule for each IPSec remote access tunnel, you can create one general rule and define an address or object group that includes IP pools for all IPSec clients.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wouldn't a zone work for this purpose as well?
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Uh-oh, just be aware that "multiple interface policy" is opening Pandora's box if you are not very, very careful.
Imagine you allow this, and create an access policy to some internal resource.
Now, months later, you create an additional VPN. Traffic from this (unrelated) interface will automatically be included in this policy. This is called a side-effect, with potential to create a security breach.
Besides, you will lose the "interface pair" view in the policy table. Annoying at first, troublesome when the table grows later.
Try to go with a zone, a container for interfaces which can only be used in policies. That should do the trick.
Besides, I think you could set up your dial-in VPN such that many users could share the same VPN. Issue a unique PSK and username to each user, and differentiate access rules by adding user groups in the policies. Who wants to handle 80 dial-in VPNs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Martin,
If you want to add multiple source interfaces in the policy then you can use following:
It can also be enabled by the GUI by going to System -> Feature, selecting the page, and toggling 'Multiple Interface Policies'.
Make sure you add the source and destination IP addresses accordingly.
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @akumar02
thank You for quickly answering my question!
best regards
Martin Haneke
Martin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Martin!
To combine multiple IKEv1 and IKEv2 peer networks into a single set of firewall policy rules, you can use address or object groups in your firewall. Instead of creating a separate rule for each IPSec remote access tunnel, you can create one general rule and define an address or object group that includes IP pools for all IPSec clients.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello@CatInHat
thank You for Your reply. The solution was, to activate multiple source interfaces first by
Martin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wouldn't a zone work for this purpose as well?
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Uh-oh, just be aware that "multiple interface policy" is opening Pandora's box if you are not very, very careful.
Imagine you allow this, and create an access policy to some internal resource.
Now, months later, you create an additional VPN. Traffic from this (unrelated) interface will automatically be included in this policy. This is called a side-effect, with potential to create a security breach.
Besides, you will lose the "interface pair" view in the policy table. Annoying at first, troublesome when the table grows later.
Try to go with a zone, a container for interfaces which can only be used in policies. That should do the trick.
Besides, I think you could set up your dial-in VPN such that many users could share the same VPN. Issue a unique PSK and username to each user, and differentiate access rules by adding user groups in the policies. Who wants to handle 80 dial-in VPNs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @ede_pfau ,
thank You for Your valuable hint. After Your detailed explanation I am of Your opinion and hence will change to containers. The 3rd party IKEv1/v2 clients already exist. We will migrate client-by-client to FortiClient. Thus the actual solution only should cover a transition phase.
That is also the reason, why we have so many connections with individual PSK.
best regards
Martin Haneke
Martin
Created on 03-24-2024 06:16 AM Edited on 03-24-2024 06:20 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am afraid I have to ask, how to create a zone with IPSec interfaces. When I create a zone, I can only choose physical interfaces, L2T, Site-2-Site, SSL-VPN or NPU. How could a zone built with IPSec dial-in objects?
best regards
Martin Haneke
Martin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're right, doesn't work with dynamic tunnels. That's why I set up one tunnel and add users to it (using XAuth). If you are using a 3rd party IPsec client I'm not sure if XAuth will work though.