Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mahmoud93
New Contributor

IPSec vpn restricted by mac addresses

Hello everyone! 

 

is it doable to restrict IPsec vpn access (forticlent) based on certian mac addresses 

1 REPLY 1
Carl_Smith
New Contributor

Even if it was possible, what is the purpose? If you only want trusted clients to connect, then the certificate route is the best way to go.

What client are you guys using? With both the SSL (NetExtender/Mobile Connect) and Global (IPsec) you can see the MAC address of the device used to establish the connection (Either in users or VPN -> DHCP depending on the client) and you could potentially create a SSL VPN -> LAN or VPN -> LAN rule to allow access from a white listed address group that contained approved MACs.

With the Global, you can also allow the IP addressing to be lease only (either pointing to the SonicWALLs internal DHCP or relay to another DHCP server); We have customers who set aside a separate subnet for the GVC connections and all the leases in that subnet are statics.

As others have pointed out though, a MAC address is a trivial thing to spoof - so even if you wanted to figure out how to successfully implement something it would not be the most effective as crafty users are likely to get around that if they get ahold of a white listed MAC.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors