Securing IPSec VPN tunnel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Securing IPSec VPN tunnel

Not applicable

Recently we are planning to roll out potentially hundreds of IPSEC VPN tunnels at our customer locations to access our own remote devices securely over the Internet. However, we don't have good control of physical access to these remote VPN devices managed by us and I don't want unauthorized access to our trusted network (in separate security zone) through these remote devices. 


The good news is that we will always initiate connections and the TCP/UDP port is always fixed.  I tried to add a firewall rule that ended up terminating the VPN tunnel. I am also aware the IPSEC proxy tab allows me to set the protocol and ports on both ends but not sure this works.


Any suggestions how to lock it down based on these two requirements?


Thanks!


Peter Man  

3 REPLIES 3

L5 Sessionator

you can create a security policy to allow or block the traffic.

You will also have option to monitor the traffic in the logs and can take decision whether to allow or block apps/ip/ports.

Hope this helps.

Numan

Not applicable

Actually I did try to add a policy that terminated the the vpn tunnel and causing some grief. I am going to do more testing in a test environment to see how it works without interrupting production services.

Thanks.

L7 Applicator

Hello,

In case of site-to-site VPN, I would recommend you to configure Proxy-ID to more control over the traffic and prevent unauthorized access to your internal resources. The ID payload during IPsec phase-2 negotiation, contains the proxy identities on whose behalf the initiator does the negotiation. These are generally IP address subnets, but they can have more fields, such as port, too. In the case of a site-to-site IPsec set up with two gateways doing IPsec negotiations with each other, the proxy IDs are based on rules defined on the gateways that define what type of traffic is supposed to be encrypted by the peers ( specific source, destination, protocols). So, if you have multiple subnets to allow behind both VPN peers, there will be multiple SPI ( security parameter Index) to enhance the security and administrative control over the VPN tunnel.

Hope this helps.

Thanks

  • 2522 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!