Hi,
I'm working with a FGT300C running v5.0,build0305 (GA Patch 10). I'm trying to restrict access to one of the IPSec dialup VPN's on the box to specific source IP's. I have created a Address Group with the source IP's, associated with the VPN interface. I then enabled and created local-in policies allowing traffic to the VPN interface from the Address Group and denying all others. My VPN works fine, but the local-in policy doesn't appear to be working - I can connect to the VPN from any Public IP. Any idea why?
Thanks,
Mike
config firewall local-in-policy
edit 1
set intf "MyVPN"
set srcaddr "MyVPN_PubIP_Group"
set dstaddr "all"
set action accept
set service "ALL"
set schedule "always"
next
edit 2
set intf "MyVPN"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
set schedule "always"
next
end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I believe the local in policies are to hit the Fortigate itself, not traffic passing through it. You just need to set those IP addresses in the group as the source addresses for the IPSec tunnel.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
If you mean specifying the source IP group under the IPv4 policy as the source address, I've tried that. Although it stops access to the destination subnets, it still allows any public IP to connect to the VPN, it just doesn't route the traffic. I'm looking for a way to reject connections to this particular VPN from any address other than what's whitelisted in the source group.
What is the interface (intf) you're specifying as your VPN interface?
I believe it needs to be the actual physical interface your vpn interface is on, not the vpn interface object itself.
If that works then you'll want to make the accept and deny rules more specific with dstaddr and just the IPSec initialisation services (IKE and NATT I think?).
If that doesn't work, I can go and re-check my own config for this. Hopefully it is still working!
tanr wrote:What is the interface (intf) you're specifying as your VPN interface?
I believe it needs to be the actual physical interface your vpn interface is on, not the vpn interface object itself.
If that works then you'll want to make the accept and deny rules more specific with dstaddr and just the IPSec initialisation services (IKE and NATT I think?).
If that doesn't work, I can go and re-check my own config for this. Hopefully it is still working!
I am using the VPN interface as intf as per the config. The trouble with using the physical interface is that will affect all my other VPN's that exist on that interface, some of which need to be accessible from all public IP's. There has to be a more granular way to address this. If you have a working config for this, please do share.
Do all your other VPN's on that interface have distinct IPs? If so, you could still specify the physical interface as the intf and separate out the VPN's by dstaddr.
Other than that I don't really have other suggestions. The way local-in-policy precedes and precludes standard firewall policies like this is still something I still get tripped on, coming from devices where all these policies were all in one place.
tanr wrote:Do all your other VPN's on that interface have distinct IPs? If so, you could still specify the physical interface as the intf and separate out the VPN's by dstaddr.
Other than that I don't really have other suggestions. The way local-in-policy precedes and precludes standard firewall policies like this is still something I still get tripped on, coming from devices where all these policies were all in one place.
No, the other VPN's share the same public IP. Looks like I might have to open a case with support to solve this one. Unless a moderator chimes in. Thanks!
Hope you find a good way to do this. Please post what you find out.
I ended up using SSL VPN which works with a source IP Group. It also allows for the use of a CLI based Linux client, which turned out to be a requirement.
Hi.
It's an old post but I needed allow the IPSEC traffic only to two IPs and i have done with this configuration.
1. Create a group to Allow IPSEC connections from Public IPs
My group is called "IPSEC_Allow"
2.Create two policies, one to allow traffic from the group and one to block all the IKE traffic:
config firewall local-in-policy |
edit 1 |
set intf "wan1" |
set srcaddr "IPSEC_Allow" |
set dstaddr "all" |
set action accept |
set service "IKE" |
set schedule "always" |
next |
edit 2 |
set intf "wan1" |
set srcaddr "all" |
set dstaddr "all" |
set service "IKE" |
set schedule "always" |
next |
end |
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.