I have successfully set up an IPSEC tunnel using policy base as the other end doesn't support interface mode. I have created a simple rule:
config firewall policy
edit 8
set name "IPSEC to H2"
set uuid c5b4e622-67a8-51e8-f7ef-f1a2eec092f6
set srcintf "v31"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "192.168.0.0 [DMZ_H2]" "192.168.1.0 [INTERNAL_H2]"
set action ipsec
set schedule "always"
set service "ALL"
set logtraffic all
set inbound enable
set vpntunnel "h2"
next
end
Is there a way to block certain incoming traffic from the ipsec? If I try to make a rule on the wan1 to v31 it does not seem to block.
config firewall policy
edit 10
set name "Block Nas3"
set uuid ae7c2586-6831-51e8-e4d9-5440e79dcb5d
set srcintf "wan1"
set dstintf "v31"
set srcaddr "192.168.0.0 [DMZ_H2]" "192.168.1.0 [INTERNAL_H2]" "Comcast H2"
set dstaddr "192.168.31.10 [Nas3]"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Trying to block a nas file server from the remote site. There doesn't seem to be a way to do this with it in policy mode. I do not see a way to set a policy to say from remote site to local block. Interface mode would be easy but my other side does not support interface mode.
I'm not sure why the additional specific blocking policy doesn't work as long as it's placed above/before the allowing policy. But interface mode/policy mode is only locally significant. You should be able to connect interface mode ipsec configured on local side to the remote side that has policy mode IPsec configured.
The policy number "8" doesn't mean it's checked before "10".
To ensure the sequence of the policies, can change the order on GUI or execute command "move 10 before 8" on CLI.
Hmm my deny policy is above my accept policy. Here is a screen shot from the GUI:
(I opened it in by sequence view just in case).
I think my issue is the return rules are should those be set? I have no option to say ipsec and deny. My best guess was to say it was incoming from my wan and leaving my v31 interface. Then I specified the source IP's (I threw in the remote public IP just in case) but still no luck.
As for interface mode. How would that be configured? Normally when I've seen interface mode the phase2 is set to 0.0.0.0 - 0.0.0.0 where right now in policy mode I have 2 configured one as 192.168.31.0/24 192.168.1.0/24 and 192.168.31.0/24 - 192.168.0.0/24. Same on the remote side.
Okay, if you want to identify which policy allow the unwanted traffic to pass, you can try to check the session info or debug flow.
try:
diag sys session filter clear
diag sys session filter dst 192.168.31.10
diag sys session filter dintf v31
diag sys session list | grep policy_id
or,
diag debug en
diag debug flow filter daddr 192.168.31.10
diag debug flow trace start 3
Of course the phase2 traffic selectors need to match on both ends regardless interface mode or policy mode.
I haven't configured or even enabled policy-based IPsec years so I don't remember how the config looked like. But for interface mode, you just need to define two phase2-interfaces and bind them to the phase1-interface, to match the remote end config.
@Toshi Esumi
That worked wonders! I'm back in my element and everything is working great now.
@ericli_FTNT
So it was still hitting policy 8 the IPSEC rule.
FG # diag sys session filter clear
FG # diag sys session filter dst 192.168.31.10
FG # diag sys session filter dintf v31
FG # diag sys session list | grep policy_id
FG # diag sys session list | grep policy_id
misc=0 policy_id=8 auth_info=0 chk_client_info=0 vd=0
misc=0 policy_id=8 auth_info=0 chk_client_info=0 vd=0
misc=0 policy_id=8 auth_info=0 chk_client_info=0 vd=0
misc=0 policy_id=8 auth_info=0 chk_client_info=0 vd=0
misc=0 policy_id=8 auth_info=0 chk_client_info=0 vd=0
The flow trace I'm not going to post since it has a lot of public IP's in it. There is a dst nat going on. I do know we use VIP's at work and there was a gotcha about where the rules had to be. Not sure with a dst nat happening if something is being screwy there.
In any case, I got the interface mode working beautifully and added my policies between the interface and v31 and everything is golden.
Thanks for all the help guys!
I have successfully set up an IPSEC tunnel using policy base as the other end doesn't support interface mode. I have created a simple rule:
FWIW interface aka route-based vpn does NOT need to match the other side mode. Just figure I would point that out the IPSEC-SAs has no clue or should care if the other device initiated as route or policy-basedVPN
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1062 | |
889 | |
527 | |
441 | |
152 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.