Restrict IPSEC VPN access

Hi, I have a WG M300 at a data centre (v12.xx) and I want to restrict IPSEC VPN user connections to some this firewall from certain trusted public IPs.

Whats the easiest way to do that? as I have looked and cant see any settings restricting the from IP address?

would i need to do a custom filter and block the ports?

there are no SSL VPNs here just IPSEC
Thanks

Comments

  • You need to unselect "Enable built-in IPSec policy" and add you own IPSec policy
    From: desired IP addrs, To: Any-external

    See the Disable or Enable the Built-in IPSec Policy section here:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/global_vpn_settings_about_c.html

  • superb! thanks Bruce

  • following the WG Documentation I still have an issue;

    1. Disable the built-in IPSec policy
    2. create a new custom policy with;
      ESP protocol
      AH Protocol
      Port 500 UDP
      Port 4500 UDP

    3. restricting IPs on that policy to "Firebox"

    this works fine as i can now not IPSEC VPN without being on the list.

    However the connections tend to disconnect after a few mins, if I reverse the changes out they dont disconnect.

    I can open a support call with WG, just wondered if you had maybe seen this before? Or is the custom policy missing something?

    Cheers

  • FYI - there is a predefined IPSec Packet Filter that you can use.

    No, I have not seen this.

    Without diagnostic logging, no idea what could be causing the session to disconnect.

    You can turn on diagnostic logging for IKE which may show something to help:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
    In the Web UI: System -> Diagnostic Log
    Set the slider to Information or higher

    Do open that support incident, but do have some IKE diagnostic logs available for support.

  • I changed to the WG predefined IPSec Packet Filter and have not had any issues testing today, even though mine looked identical in configuration......I have now applied this to two WG M200s to test, so I will see how it goes, thanks

Sign In to comment.