IPSEC Policy base rules

crh1 · ‎06-06-2018

I have successfully set up an IPSEC tunnel using policy base as the other end doesn't support interface mode. I have created a simple rule:

config firewall policy

edit 8

set name "IPSEC to H2"

set uuid c5b4e622-67a8-51e8-f7ef-f1a2eec092f6

set srcintf "v31"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "192.168.0.0 [DMZ_H2]" "192.168.1.0 [INTERNAL_H2]"

set action ipsec

set schedule "always"

set service "ALL"

set logtraffic all

set inbound enable

set vpntunnel "h2"

Is there a way to block certain incoming traffic from the ipsec? If I try to make a rule on the wan1 to v31 it does not seem to block.

config firewall policy

edit 10

set name "Block Nas3"

set uuid ae7c2586-6831-51e8-e4d9-5440e79dcb5d

set srcintf "wan1"

set dstintf "v31"

set srcaddr "192.168.0.0 [DMZ_H2]" "192.168.1.0 [INTERNAL_H2]" "Comcast H2"

set dstaddr "192.168.31.10 [Nas3]"

set schedule "always"

set service "ALL"

set logtraffic all

Trying to block a nas file server from the remote site. There doesn't seem to be a way to do this with it in policy mode. I do not see a way to set a policy to say from remote site to local block. Interface mode would be easy but my other side does not support interface mode.

Toshi_Esumi · ‎06-06-2018

I'm not sure why the additional specific blocking policy doesn't work as long as it's placed above/before the allowing policy. But interface mode/policy mode is only locally significant. You should be able to connect interface mode ipsec configured on local side to the remote side that has policy mode IPsec configured.

ericli_FTNT · ‎06-06-2018

The policy number "8" doesn't mean it's checked before "10".

To ensure the sequence of the policies, can change the order on GUI or execute command "move 10 before 8" on CLI.

crh1 · ‎06-06-2018

Hmm my deny policy is above my accept policy. Here is a screen shot from the GUI:

(I opened it in by sequence view just in case).

I think my issue is the return rules are should those be set? I have no option to say ipsec and deny. My best guess was to say it was incoming from my wan and leaving my v31 interface. Then I specified the source IP's (I threw in the remote public IP just in case) but still no luck.

As for interface mode. How would that be configured? Normally when I've seen interface mode the phase2 is set to 0.0.0.0 - 0.0.0.0 where right now in policy mode I have 2 configured one as 192.168.31.0/24 192.168.1.0/24 and 192.168.31.0/24 - 192.168.0.0/24. Same on the remote side.

ericli_FTNT · ‎06-06-2018

Okay, if you want to identify which policy allow the unwanted traffic to pass, you can try to check the session info or debug flow.

try:

diag sys session filter clear

diag sys session filter dst 192.168.31.10

diag sys session filter dintf v31

diag sys session list | grep policy_id

or,

diag debug en

diag debug flow filter daddr 192.168.31.10

diag debug flow trace start 3

Toshi_Esumi · ‎06-06-2018

Of course the phase2 traffic selectors need to match on both ends regardless interface mode or policy mode.

I haven't configured or even enabled policy-based IPsec years so I don't remember how the config looked like. But for interface mode, you just need to define two phase2-interfaces and bind them to the phase1-interface, to match the remote end config.

crh1 · ‎06-06-2018

@Toshi Esumi

That worked wonders! I'm back in my element and everything is working great now.

@ericli_FTNT

So it was still hitting policy 8 the IPSEC rule.

FG # diag sys session filter clear

FG # diag sys session filter dst 192.168.31.10

FG # diag sys session filter dintf v31

FG # diag sys session list | grep policy_id

FG # diag sys session list | grep policy_id
misc=0 policy_id=8 auth_info=0 chk_client_info=0 vd=0
misc=0 policy_id=8 auth_info=0 chk_client_info=0 vd=0
misc=0 policy_id=8 auth_info=0 chk_client_info=0 vd=0
misc=0 policy_id=8 auth_info=0 chk_client_info=0 vd=0
misc=0 policy_id=8 auth_info=0 chk_client_info=0 vd=0

The flow trace I'm not going to post since it has a lot of public IP's in it. There is a dst nat going on. I do know we use VIP's at work and there was a gotcha about where the rules had to be. Not sure with a dst nat happening if something is being screwy there.

In any case, I got the interface mode working beautifully and added my policies between the interface and v31 and everything is golden.

Thanks for all the help guys!

emnoc · ‎06-06-2018

I have successfully set up an IPSEC tunnel using policy base as the other end doesn't support interface mode. I have created a simple rule:

FWIW interface aka route-based vpn does NOT need to match the other side mode. Just figure I would point that out the IPSEC-SAs has no clue or should care if the other device initiated as route or policy-basedVPN

Ken

PCNSE

NSE

StrongSwan