Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Xavier_BS
New Contributor

Created on ‎11-11-2024 09:32 AM

incoming IPSec VPN traffic only works with any source interface

This is driving me mad.

I have set up an IPSec VPN and want to limit it to a certain set of destinations.

As I have two WAN links up, I'm connected on one and playing with the VPN settings of the other.

I thought I understood how this works, but I'm now utterly baffled.

I'm connecting with the FortiClient. I have my static routes pushed through OK so I can route to the destination network I want.

Now when it comes to policies, I have set up a policy which has from the remote tunnel to the destination but this doesn't work.

If I change the policy so the source interface is "any", it works.

If I then change the policy so the source interface is the Remote Access WAN interface that's set up, it doesn't work, traffic gets dropped and is picked up by the default deny policy at the bottom.

When I have the policy configured so that the source interface is "any" and it works, if I look at the policy logs, I can see the source interface is my RA WAN.

So why doesn't it work when I set it to that interface? Furthermore, if I manually select ALL the interfaces that are up, it still doesn't work! It only lets traffic through when the source is "any".

I'm completely stumped!

Labels:
134
0 Kudos
5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

Created on ‎11-11-2024 10:01 AM

What do you exactly mean by "Remote Access WAN Interface"? You're supposed to be using the tunnel interface name like below "Dup2IPsec" as the policy's source interface.
tunintf.png

 

Toshi

126
0 Kudos
Xavier_BS
New Contributor
In response to Toshi_Esumi

Created on ‎11-11-2024 10:17 AM

Yes, I mean the tunnel interface. By default, when using the wizard, it calls them RA_xxx so I just labelled them like that:

 

wan-ra.png

If I have a policy with "all" as the source interface, it works:

wan-ra-ok-all.png

 

But as soon as I change the source interface to be the tunnel one, it no longer hits that policy and falls into the default deny.

wan-ra-nok-tunnel.png

and I can't understand why.

122
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Xavier_BS

Created on ‎11-11-2024 10:38 AM Edited on ‎11-11-2024 10:39 AM

You're using dialup/remote access VPN, right? For that case all user connections to at least the same interface, like WAN1 IP, are just one tunnel interface regardless how many users connects to.


If you want to have a different set of dialup/remote access VPN for different user group on the same WAN1, you have to set it up properly to differentiate two user group's users to connect to the intended one. You may not be able to use the wizard to configure them.
Only in that case you can have separate policy for each tunnel interface but need to have two policies.

Toshi

96
0 Kudos
Xavier_BS
New Contributor
In response to Toshi_Esumi

Created on ‎11-11-2024 12:24 PM

Thanks Toshi, I'm aware of the tweaking that will be required.

Here, I'm trying to configure the dial up on WAN2 where there's only one tunnel configured. On that tunnel, it either works or doesn't depending on the source interface setting. That's what I'm trying to understand here :)

72
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Xavier_BS

Created on ‎11-11-2024 12:50 PM

VPN into a different interface is a different IPsec VPN (interface). Either you need to have two separate policies or set up a zone to have those two together so that you don't have to have multiple policies.

 

Toshi

68
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.