Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
studentuser
New Contributor II

Created on ‎03-08-2024 06:58 AM

How to set Fortigate IPsec VPN access restricted by source IP without using Local in Policy?

 Hello, I searched it in this forum, and finally found a similar topic below.

 

https://community.fortinet.com/t5/Support-Forum/IPSec-VPN-restricted-by-source-IP-address/m-p/129749...

 

But the topic is unresolved.

 

I already found a way to solve it by using 'Local in Policy'. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-VPN-access-to-certain-countries/t...

 

However, I don't want to use it because of system operation and maintenance considerations, as 'Local in Policy' is supported only through CLI setting.

If you have another idea, could you tell me how to set it?

 

FortiGate  

None
None
Labels:
1744
0 Kudos
1 Solution
hbac
Staff
Staff

Created on ‎03-08-2024 08:11 AM

Hi @studentuser,

 

If you want to restrict by IP, I believe local-in-policy is the only option. For additional security, you can use peer ID. https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dia...

 

Regards, 

View solution in original post

1712
0 Kudos
6 REPLIES 6
hbac
Staff
Staff

Created on ‎03-08-2024 08:11 AM

Hi @studentuser,

 

If you want to restrict by IP, I believe local-in-policy is the only option. For additional security, you can use peer ID. https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dia...

 

Regards, 

1713
0 Kudos
studentuser
New Contributor II
In response to hbac

Created on ‎03-11-2024 07:17 AM Edited on ‎03-11-2024 07:19 AM

I wanted to know if someone has other solutions, but it seems there's no other way. Thank you for your prompt reply.

None
None
1674
0 Kudos
aguerriero
Contributor II

Created on ‎03-11-2024 08:20 AM

You could nat 500/4500 to a loopback address and terminate ipsec on the loopback. Then you would do an outside/wan to loopback policy. On the ipsec configurations you would start using local id configuration as the public address.

If you have multiple publics you could assign a public to the loopback and that would remove the need to do any type of nat or local/remote id changes.

Fortigate used to not be able to offload ipsec to a loopback. I do not know if that changed.

1661
0 Kudos
johnathan
Staff
Staff

Created on ‎03-11-2024 08:59 AM Edited on ‎03-11-2024 09:03 AM

You can configure it on a loopback as seen on this document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practice-when-IPSec-VPN-is-bound-to-l...

"Never trust a computer you can't throw out a window."
1655
0 Kudos
aguerriero
Contributor II
In response to johnathan

Created on ‎03-11-2024 10:13 AM

You need to follow the links. Only NP7 offloads ipsec on a loopback.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Information-about-IPsec-on-loopback-interf...

https://docs.fortinet.com/document/fortigate/7.4.3/hardware-acceleration/46115/fortigate-np7-archite...

1648
0 Kudos
johnathan
Staff
Staff
In response to aguerriero

Created on ‎03-11-2024 11:07 AM Edited on ‎03-11-2024 01:18 PM

It will still work ;). The only thing you will see is higher CPU usage, or lesser throughput. 

I did not say the speeds would be exactly  the same without the loopback.

"Never trust a computer you can't throw out a window."
1643
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.