Allow IPSEC to all on LAN except

ChrisFromDallas · Mar 17, 2023, 7:46 PM

I have a IPSEC tunnel between the home office and the remote office. I want to allow all traffic across the VPN except for a group of IP addresses at the remote office, which I have created an alias group for.

But whatever I try doesn't seem to work in blocking the VPN traffic from the disallowed IPs.

Hoping for some help in creating a rule to block traffic bound for the home office for a certain group of IPs on the remote office network. Any suggestions?

viragomann · Mar 17, 2023, 7:58 PM

@chrisfromdallas
You need to put the block rule with the alias as destination above of the pass any-rule on LAN to get it applied first.

Also consider to delete the states after adding a block rule. If there is an existing state the traffic keeps on passing.

ChrisFromDallas · Mar 17, 2023, 8:14 PM

@viragomann Thanks, but unfortunately I must be missing something.

On my REMOTE OFFICE router, I set a rule like this on the LAN section:

Protocol: IPv4*
Source: 192.168.0.0/24 (the HOME OFFICE subnet)
Port: *
Destination: GuestIPs (the alias group for the disallowed IP addresses)
Port: *
Gateway: *

That rule is at the top of the list, and after clearing states I'm still able to pass traffic from the disallowed IPs at REMOTE OFFICE to the LAN at HOME OFFICE.

Any ideas where I may have gone wrong?

viragomann · Mar 17, 2023, 8:23 PM

@chrisfromdallas
The rule has to be added to the interface, where the traffic is coming in. So this might be IPSec in the office.

I was talking about your site before.
But if you have access to the remote site, est practice is to only allow certain destinations.
You can do this by addition the pass rule on IPSec, state the alias (for IPs to block) and check "invert match". So the pass then allows any, but the IPs in the alias.