Restrict IPSEC VPN access
Hi, I have a WG M300 at a data centre (v12.xx) and I want to restrict IPSEC VPN user connections to some this firewall from certain trusted public IPs.
Whats the easiest way to do that? as I have looked and cant see any settings restricting the from IP address?
would i need to do a custom filter and block the ports?
there are no SSL VPNs here just IPSEC
Thanks
0
Sign In to comment.
Comments
You need to unselect "Enable built-in IPSec policy" and add you own IPSec policy
From: desired IP addrs, To: Any-external
See the Disable or Enable the Built-in IPSec Policy section here:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/global_vpn_settings_about_c.html
superb! thanks Bruce
following the WG Documentation I still have an issue;
create a new custom policy with;
ESP protocol
AH Protocol
Port 500 UDP
Port 4500 UDP
restricting IPs on that policy to "Firebox"
this works fine as i can now not IPSEC VPN without being on the list.
However the connections tend to disconnect after a few mins, if I reverse the changes out they dont disconnect.
I can open a support call with WG, just wondered if you had maybe seen this before? Or is the custom policy missing something?
Cheers
FYI - there is a predefined IPSec Packet Filter that you can use.
No, I have not seen this.
Without diagnostic logging, no idea what could be causing the session to disconnect.
You can turn on diagnostic logging for IKE which may show something to help:
In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
In the Web UI: System -> Diagnostic Log
Set the slider to Information or higher
Do open that support incident, but do have some IKE diagnostic logs available for support.
I changed to the WG predefined IPSec Packet Filter and have not had any issues testing today, even though mine looked identical in configuration......I have now applied this to two WG M200s to test, so I will see how it goes, thanks