IPSec as responder only?

Andre_Backs · ‎06-09-2016

Hello my learned friends,

I have a question: is it possible on a Fortigate 200D to set up an IPSec tunnel as a responder only?

As an initiator it seems to go about trying to make a connection so aggressively that it sometimes overwhelmes the responding site.

your answers are, as always, highly valuated.

André

ABB@ProBiblio Fortigate 200D (slave master)

emnoc · ‎06-09-2016

You can set it as a dialup ( no defined peer ). That will get you as a responder function.

Ken

PCNSE

NSE

StrongSwan

Andre_Backs · ‎06-10-2016

> You can set it as a dialup ( no defined peer ). That will get you as a responder function.

Oew, that was scary

I created a single P1 with no P2's and for a moment it seemd that my internet went down as well as most of the IPsec tunnels.

Better not tinker with that in production hours

But that raised another question:

In a IKEv1 tunnel you can enter an accepted peer-id but this option disappeares when you select IKEv2

So, how do you make sure that only the peer IP address can connect to this tunnel (other that imposing a firewall rule and using a unique pre-shared key)

ABB@ProBiblio Fortigate 200D (slave master)

emnoc · ‎06-10-2016

1st Setting up a phase1-interface should not cause any issues

2nd, in your example your at no more risk if you had a non peer-id acceptance. Think about it, if you set a phase1-interface to a static-vpn peer, they would need to know the PSK

Same if it was a peer-id acceptance they still have a PSK+peer-id ( FQDN ipv4address etc.....)

PCNSE

NSE

StrongSwan

IPSec as responder only?

Nominate a Forum Post for Knowledge Article Creation