Hello, I searched it in this forum, and finally found a similar topic below.
But the topic is unresolved.
I already found a way to solve it by using 'Local in Policy'. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-VPN-access-to-certain-countries/t...
However, I don't want to use it because of system operation and maintenance considerations, as 'Local in Policy' is supported only through CLI setting.
If you have another idea, could you tell me how to set it?
Solved! Go to Solution.
Hi @studentuser,
If you want to restrict by IP, I believe local-in-policy is the only option. For additional security, you can use peer ID. https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dia...
Regards,
Hi @studentuser,
If you want to restrict by IP, I believe local-in-policy is the only option. For additional security, you can use peer ID. https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dia...
Regards,
Created on 03-11-2024 07:17 AM Edited on 03-11-2024 07:19 AM
I wanted to know if someone has other solutions, but it seems there's no other way. Thank you for your prompt reply.
You could nat 500/4500 to a loopback address and terminate ipsec on the loopback. Then you would do an outside/wan to loopback policy. On the ipsec configurations you would start using local id configuration as the public address.
If you have multiple publics you could assign a public to the loopback and that would remove the need to do any type of nat or local/remote id changes.
Fortigate used to not be able to offload ipsec to a loopback. I do not know if that changed.
You can configure it on a loopback as seen on this document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practice-when-IPSec-VPN-is-bound-to-l...
You need to follow the links. Only NP7 offloads ipsec on a loopback.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Information-about-IPsec-on-loopback-interf...
https://docs.fortinet.com/document/fortigate/7.4.3/hardware-acceleration/46115/fortigate-np7-archite...
Created on 03-11-2024 11:07 AM Edited on 03-11-2024 01:18 PM
It will still work ;). The only thing you will see is higher CPU usage, or lesser throughput.
I did not say the speeds would be exactly the same without the loopback.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.