VPN IP Address Block/Allow for Mobile Users
We have in place a VPN system using the Watchguards, however whenever one of our users is traveling to a country that is blocked by our Geoblocking, we have to update their IP address in the allow list. Sometimes, they goto a country that IP rotates every 15 minutes, and others AP hop between clients. Is there a way to allow anyone connecting to VPN, to connect, regardless of where they are in the world as long as they authenticate?
0
Sign In to comment.
Comments
What policies are being blocked for these VPN users?
You can add specific policies for VPN users without the Geo option enabled.
The policy that is allowing the VPN traffic to get to the firewall would need to be modified to allow from any country.
The user can't authenticate if they aren't allowed to even access the firewall they're trying to authenticate to.
For SSLVPN, it's the "WatchGuard SSLVPN" rule.
For IPSec VPNs, the policy is "Allow-IKE-to-Firebox" which is hidden. See the top of this article:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_vpn_policies_c.html
-James Carson
WatchGuard Customer Support
Perfect thanks! I will give that some TnE testing and see how I get on. Thanks!