This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Securing IPSec VPN tunnel

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Securing IPSec VPN tunnel

peterpan13888
Not applicable

‎12-02-2013 08:52 AM

Recently we are planning to roll out potentially hundreds of IPSEC VPN tunnels at our customer locations to access our own remote devices securely over the Internet. However, we don't have good control of physical access to these remote VPN devices managed by us and I don't want unauthorized access to our trusted network (in separate security zone) through these remote devices. 


The good news is that we will always initiate connections and the TCP/UDP port is always fixed.  I tried to add a firewall rule that ended up terminating the VPN tunnel. I am also aware the IPSEC proxy tab allows me to set the protocol and ports on both ends but not sure this works.


Any suggestions how to lock it down based on these two requirements?


Thanks!


Peter Man  

Labels:
0 Likes Likes
3 REPLIES 3

mbutt
L5 Sessionator

‎12-02-2013 11:22 AM

you can create a security policy to allow or block the traffic.

You will also have option to monitor the traffic in the logs and can take decision whether to allow or block apps/ip/ports.

Hope this helps.

Numan

peterpan13888
Not applicable

‎12-03-2013 06:00 AM

Actually I did try to add a policy that terminated the the vpn tunnel and causing some grief. I am going to do more testing in a test environment to see how it works without interrupting production services.

Thanks.

0 Likes Likes

HULK
L7 Applicator

‎12-03-2013 10:31 AM

Hello,

In case of site-to-site VPN, I would recommend you to configure Proxy-ID to more control over the traffic and prevent unauthorized access to your internal resources. The ID payload during IPsec phase-2 negotiation, contains the proxy identities on whose behalf the initiator does the negotiation. These are generally IP address subnets, but they can have more fields, such as port, too. In the case of a site-to-site IPsec set up with two gateways doing IPsec negotiations with each other, the proxy IDs are based on rules defined on the gateways that define what type of traffic is supposed to be encrypted by the peers ( specific source, destination, protocols). So, if you have multiple subnets to allow behind both VPN peers, there will be multiple SPI ( security parameter Index) to enhance the security and administrative control over the VPN tunnel.

Hope this helps.

Thanks

  • 2830 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks