Secure Access to Branch Office VPNs that Use IPSec and IKEv2
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA1Vr000000DMXNKA4&lang=en_US
what about , skipping step 1
and add ddns names to step 2 or 3
this would still allow Dynamic Peer BOVPN
mfg
norman
0
Sign In to comment.
Comments
This would still allow connection attempts from unknown IP addrs, which the article is trying to prevent.
how can unknown IP addrs connect if there is a port filter with incoming defined ip and fqdn ?
It would generally prevent mobile IKE connections and might prevent or drop dynamic site BOVPN connections immediately after a dynamic IP addr change by an ISP, until the DYN DNS is updated with the new IP addr.
Additionally, there has been a major attack against DYN (2016) which caused outages of up to 18 hours for sites which used it.
So there could be other attacks against DDNS providers, which could affect your BOVPN and other incoming access to a firewall which use DDNS.
Thus a reason to consider using a static IP addr instead of a dymanic one for mission critical access.
an attacker would need to know what fqdn is allowed , and then hack that dns entry to his ip.
imo very unlikely. and you would notice it very fast.
i have some 5g antennas as backup , static ip is not available.
the 5g antenna updates its ddns by its own.
Read about the DYN attack
i would not mix up availability issues of a 3rd party service with general security of a firebox config.
imo a fqdn in a ipsec/ike filter is quite secure, at least more secure then default + old fireware