How to aggregate many IKEv1 and IKEv2 dial-in peers in one Firewall policy ruleset?

mhaneke · ‎03-23-2024

Hello,

how can one aggregate many IKEv1 and IKEv2 dial-in peers in one Firewall policy ruleset?

I have approx. 80 IPSec dial-in tunnels defined. Each of which would need an own firewall rule to access the IP-Pool "IPSecClient_IP-range" which is dedicated to IKE-Config mode. See sample below:

config firewall policy
edit NN
set name "IPSec Client"
set uuid 3da34a02-nnn-nnn-8f09-f6ef3d7ennnn
set srcintf "IPSec Tunnel Client"
set dstintf "INTRANET"
set action accept
set srcaddr "IPSecClient_IP-range"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end

Is there an opportunity to create such a rule for a number of IPSec clients?

Or do You have an idea to bulk create the necessary rulesets?

best regards

Martin Haneke

best regards
Martin

akumar02 · ‎03-23-2024

Hello Martin,

If you want to add multiple source interfaces in the policy then you can use following:

This feature can be enabled by CLI.

config system settings

set gui-multiple-interface-policy enable

end

It can also be enabled by the GUI by going to System -> Feature, selecting the page, and toggling 'Multiple Interface Policies'.

Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-multiple-interfaces-on-a-...

Make sure you add the source and destination IP addresses accordingly.

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: 1,2,3,4,5,7
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up

View solution in original post

CatInHat · ‎03-23-2024

Hi, Martin!
To combine multiple IKEv1 and IKEv2 peer networks into a single set of firewall policy rules, you can use address or object groups in your firewall. Instead of creating a separate rule for each IPSec remote access tunnel, you can create one general rule and define an address or object group that includes IP pools for all IPSec clients.

View solution in original post

Toshi_Esumi · ‎03-23-2024

Wouldn't a zone work for this purpose as well?

Toshi

View solution in original post

ede_pfau · ‎03-24-2024

Uh-oh, just be aware that "multiple interface policy" is opening Pandora's box if you are not very, very careful.

Imagine you allow this, and create an access policy to some internal resource.

Now, months later, you create an additional VPN. Traffic from this (unrelated) interface will automatically be included in this policy. This is called a side-effect, with potential to create a security breach.

Besides, you will lose the "interface pair" view in the policy table. Annoying at first, troublesome when the table grows later.

Try to go with a zone, a container for interfaces which can only be used in policies. That should do the trick.

Besides, I think you could set up your dial-in VPN such that many users could share the same VPN. Issue a unique PSK and username to each user, and differentiate access rules by adding user groups in the policies. Who wants to handle 80 dial-in VPNs?

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

akumar02 · ‎03-23-2024

Hello Martin,

If you want to add multiple source interfaces in the policy then you can use following:

This feature can be enabled by CLI.

config system settings

set gui-multiple-interface-policy enable

end

It can also be enabled by the GUI by going to System -> Feature, selecting the page, and toggling 'Multiple Interface Policies'.

Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-multiple-interfaces-on-a-...

Make sure you add the source and destination IP addresses accordingly.

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: 1,2,3,4,5,7
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up

mhaneke · ‎03-23-2024

Hello @akumar02

thank You for quickly answering my question!

best regards

Martin Haneke

best regards
Martin

CatInHat · ‎03-23-2024

Hi, Martin!
To combine multiple IKEv1 and IKEv2 peer networks into a single set of firewall policy rules, you can use address or object groups in your firewall. Instead of creating a separate rule for each IPSec remote access tunnel, you can create one general rule and define an address or object group that includes IP pools for all IPSec clients.

mhaneke · ‎03-23-2024

Hello@CatInHat

thank You for Your reply. The solution was, to activate multiple source interfaces first by

config system settings

set gui-multiple-interface-policy enable

end

within the vdom.

best regards
Martin

Toshi_Esumi · ‎03-23-2024

Wouldn't a zone work for this purpose as well?

Toshi

ede_pfau · ‎03-24-2024

Uh-oh, just be aware that "multiple interface policy" is opening Pandora's box if you are not very, very careful.

Imagine you allow this, and create an access policy to some internal resource.

Now, months later, you create an additional VPN. Traffic from this (unrelated) interface will automatically be included in this policy. This is called a side-effect, with potential to create a security breach.

Besides, you will lose the "interface pair" view in the policy table. Annoying at first, troublesome when the table grows later.

Try to go with a zone, a container for interfaces which can only be used in policies. That should do the trick.

Besides, I think you could set up your dial-in VPN such that many users could share the same VPN. Issue a unique PSK and username to each user, and differentiate access rules by adding user groups in the policies. Who wants to handle 80 dial-in VPNs?

Ede Kernel panic: Aiee, killing interrupt handler!

mhaneke · ‎03-24-2024

Hello @ede_pfau ,

thank You for Your valuable hint. After Your detailed explanation I am of Your opinion and hence will change to containers. The 3rd party IKEv1/v2 clients already exist. We will migrate client-by-client to FortiClient. Thus the actual solution only should cover a transition phase.

That is also the reason, why we have so many connections with individual PSK.

best regards

Martin Haneke

best regards
Martin

mhaneke · ‎03-24-2024

@ede_pfauand @Toshi_Esumi

I am afraid I have to ask, how to create a zone with IPSec interfaces. When I create a zone, I can only choose physical interfaces, L2T, Site-2-Site, SSL-VPN or NPU. How could a zone built with IPSec dial-in objects?

best regards

Martin Haneke

best regards
Martin

ede_pfau · ‎03-24-2024

You're right, doesn't work with dynamic tunnels. That's why I set up one tunnel and add users to it (using XAuth). If you are using a 3rd party IPsec client I'm not sure if XAuth will work though.

Ede Kernel panic: Aiee, killing interrupt handler!

How to aggregate many IKEv1 and IKEv2 dial-in peers in one Firewall policy ruleset?

Nominate a Forum Post for Knowledge Article Creation