Geo location for VPN - allows disabled country
Despite unnamed country being disabled on Geolocation, user can connect to VPN without any issues. How come?
Is it a bug or some bigger issue?
Seeing this as a potential security risk, I really want to get this fixed as soon as possible.
Someone have any clue about this?
0
Sign In to comment.
Comments
Hi @Thiseffinguy
There are a few reasons this might happen:
-Is geolocation turned on for the inbound VPN policy?
-If this is an IPSec VPN, are you using the built in IPSEC policy, or a custom policy?
-Is geolocation detecting the correct country for that connection?
Since there's quite a few moving factors here, I'd suggest opening a support case so that one of our support team can help look into the issue with you.
-James Carson
WatchGuard Customer Support
Thanks for your response!
It is an IPSec VPN. Probably why the policy never was transferred to the new one, hence global access on that VPN. We suspect that it might be because of Geolocation would block all active tunnels between offices. We're looking for some alternative solution for solving this.
Do you have any suggestions of how we could proceed?
Presumably you can disable the built-in IPSec policy, and then create custom IPSec policies - 1 for the BOVPN tunnels, and 1 for everything else, which would be the Mobile VPN with IPSec.
See this section:
Disable or Enable the Built-in IPSec Policy
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/global_vpn_settings_about_c.html
I quite seriously have been seeing this frequently over the past couple of weeks. We onboarded some staff overseas (Pakistan and India). Even though Pakistan was blocked (yes on my SSL and IKE VPN policies) they were able to connect. A few users were running the VPN inside of a VPN, meaning they already had a VPN to present a US IP address and were running OpenVPN inside of that.
I considered opening a case, but, the reality is that I need them to connect and was shocked that they could. They were blocked from a couple of web-based servers (and showing in Dimension)...but the VPNs, they ran just dandy (and should not have - I guess).