• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPSEC VPN restrict access

Scheduled Pinned Locked Moved IPsec
6 Posts 2 Posters 997 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Z
    zMaliz
    last edited by Dec 21, 2017, 5:59 PM

    Hi.
    I'm looking at creating an IPSEC VPN between home and the office.

    Ideally I'd like to restrict this so only 2/3 devices locally (home) use it and from the office they can only access those 2/3 devices.
    Is this possible ?  Can someone point me in the right direction.

    Thanks

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Dec 21, 2017, 6:12 PM

      @zMaliz:

      Hi.
      I'm looking at creating an IPSEC VPN between home and the office.

      Ideally I'd like to restrict this so only 2/3 devices locally (home)

      Pass the traffic you want to allow using firewall rules on the LAN interface for the remote VPN destinations.

      Then reject LAN net to the VPN destinations.

      Ideally this should also be done at the other side for traffic coming into the firewall there but you can generally control it like this too.

      use it and from the office they can only access those 2/3 devices.
      Is this possible ?  Can someone point me in the right direction.

      Pass the traffic you want passed from the remote sources on the IPsec tab.

      Reject everything else (or just let default deny there do it. I prefer reject for internal blocks like this so a negative reply is returned to the source.)

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • Z
        zMaliz
        last edited by Dec 21, 2017, 10:07 PM

        Thanks I'll try this over Christmas and see how I get on..

        1 Reply Last reply Reply Quote 0
        • Z
          zMaliz
          last edited by Dec 26, 2017, 10:48 AM

          Thanks for the advice. I'm trying to work out the best way to do this..

          So far I've created an alias which contains the internal local IP Addresses I want to access the office via the IPSEC VPN. This alias is called 'OfficeACL'

          In Firewall / Rules / IPSec I've added a rule:
          Source: 192.168.10.0/24 (office range)
          Destination: OfficeACL

          In Firewall / Rules / LAN I've added a rule:
          Source: OfficeACL
          Destination: 192.168.10.0/24  (office range)

          Is that right ? will other devices in the local IP Address range be able to get to the office ?

          Will other devices in the office be able to get to anything other than OfficeCL devices ?

          Thanks

          1 Reply Last reply Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Dec 26, 2017, 7:10 PM

            I don't know what "Office" is. What is the IPsec tunnel network or the remote networks?

            What is the Local LAN subnet?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • Z
              zMaliz
              last edited by Dec 27, 2017, 7:15 PM

              @Derelict:

              I don't know what "Office" is. What is the IPsec tunnel network or the remote networks?

              What is the Local LAN subnet?

              Hi
              Remote office network is 192.168.10.0/24
              Local LAN is 192.168.25.0/24

              I only want a couple of devices to have access via the VPN and be reachable from the VPN. These have been specified in the Office all

              Thanks

              1 Reply Last reply Reply Quote 0
              1 out of 6
              • First post
                1/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received