Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
brijesh
New Contributor

Site-to-Site Ipsec: Allow only traffic from one direction

Hi,

I have successfully setup site-to-site vpn between FG60D and Mikrotik router. The tunnel is up and running and is setup using policy route vpn.

Now i would like to block traffic coming from mikrotik-> FG. Is there any way of doing it with policy based vpn. I have even setup a block rule which block traffic from mt->fg but it doesn't seem to work. Looking at the logs it looks like the packets which comes from mt hits the ipsec rule and gets routed. I even tried to move the block rule above the ipsec rule but still had no luck.

 

I read the following in one of the manual "The source address that you choose for the security policy identifies from where outbound cleartext IP packets may originate, and also defines the local IP address or addresses that a remote server or client will be allowed to access through the VPN tunnel."

 

Can anyone help me with this

Thanks

2 REPLIES 2
Nils
Contributor II

In your policy, do you have a checkbox that's labeled "Allow traffic to be initiated from the remote site"?

In case you do, uncheck this and then you'll need one policy for each direction.

 

Another way is to create a Routing-based VPN. Then you'll need one policy for each direction.

I think the default way is route-based vpn.

 

 

brijesh
New Contributor

Thanks for your reply Nilsan.

I don't think it allows you to deselect "Allow traffic to be initiated from the remote site" this option. I think the only way is to use route based vpn then.

 

It would be better if i can drop the traffic from forward chain same way i did on mt router on the other end.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors