Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
studentuser
New Contributor

How to set Fortigate IPsec VPN access restricted by source IP without using Local in Policy?

 Hello, I searched it in this forum, and finally found a similar topic below.

 

https://community.fortinet.com/t5/Support-Forum/IPSec-VPN-restricted-by-source-IP-address/m-p/129749...

 

But the topic is unresolved.

 

I already found a way to solve it by using 'Local in Policy'. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-VPN-access-to-certain-countries/t...

 

However, I don't want to use it because of system operation and maintenance considerations, as 'Local in Policy' is supported only through CLI setting.

If you have another idea, could you tell me how to set it?

 

FortiGate 

None
None
1 Solution
hbac
Staff
Staff

Hi @studentuser,

 

If you want to restrict by IP, I believe local-in-policy is the only option. For additional security, you can use peer ID. https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dia...

 

Regards, 

View solution in original post

6 REPLIES 6
hbac
Staff
Staff

Hi @studentuser,

 

If you want to restrict by IP, I believe local-in-policy is the only option. For additional security, you can use peer ID. https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dia...

 

Regards, 

studentuser

I wanted to know if someone has other solutions, but it seems there's no other way. Thank you for your prompt reply.

None
None
aguerriero
Contributor II

You could nat 500/4500 to a loopback address and terminate ipsec on the loopback. Then you would do an outside/wan to loopback policy. On the ipsec configurations you would start using local id configuration as the public address.

If you have multiple publics you could assign a public to the loopback and that would remove the need to do any type of nat or local/remote id changes.

Fortigate used to not be able to offload ipsec to a loopback. I do not know if that changed.

johnathan
Staff
Staff

You can configure it on a loopback as seen on this document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practice-when-IPSec-VPN-is-bound-to-l...

"Never trust a computer you can't throw out a window."
aguerriero

johnathan

It will still work ;). The only thing you will see is higher CPU usage, or lesser throughput. 

I did not say the speeds would be exactly  the same without the loopback.

"Never trust a computer you can't throw out a window."
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors