topic Re: Securing IPSec VPN tunnel in General Topics

Securing IPSec VPN tunnel

peterpan13888 — Mon, 02 Dec 2013 16:52:07 GMT

Recently we are planning to roll out potentially hundreds of IPSEC VPN tunnels at our customer locations to access our own remote devices securely over the Internet. However, we don't have good control of physical access to these remote VPN devices managed by us and I don't want unauthorized access to our trusted network (in separate security zone) through these remote devices.

The good news is that we will always initiate connections and the TCP/UDP port is always fixed. I tried to add a firewall rule that ended up terminating the VPN tunnel. I am also aware the IPSEC proxy tab allows me to set the protocol and ports on both ends but not sure this works.

Any suggestions how to lock it down based on these two requirements?

Thanks!

Peter Man

Re: Securing IPSec VPN tunnel

mbutt — Mon, 02 Dec 2013 19:22:30 GMT

you can create a security policy to allow or block the traffic.

You will also have option to monitor the traffic in the logs and can take decision whether to allow or block apps/ip/ports.

Hope this helps.

Numan

Re: Securing IPSec VPN tunnel

peterpan13888 — Tue, 03 Dec 2013 14:00:49 GMT

Actually I did try to add a policy that terminated the the vpn tunnel and causing some grief. I am going to do more testing in a test environment to see how it works without interrupting production services.

Thanks.

Re: Securing IPSec VPN tunnel

HULK — Tue, 03 Dec 2013 18:31:43 GMT

Hello,

In case of site-to-site VPN, I would recommend you to configure Proxy-ID to more control over the traffic and prevent unauthorized access to your internal resources. The ID payload during IPsec phase-2 negotiation, contains the proxy identities on whose behalf the initiator does the negotiation. These are generally IP address subnets, but they can have more fields, such as port, too. In the case of a site-to-site IPsec set up with two gateways doing IPsec negotiations with each other, the proxy IDs are based on rules defined on the gateways that define what type of traffic is supposed to be encrypted by the peers ( specific source, destination, protocols). So, if you have multiple subnets to allow behind both VPN peers, there will be multiple SPI ( security parameter Index) to enhance the security and administrative control over the VPN tunnel.

Hope this helps.

Thanks