USG 110 - VPN - Geo ip blocking.

Hi,
Having a VPN connection using L2TP over IPSec with a pre-shared password. Latest firmware installed.

I would very much appreciate if someone could help me with the setup of blocking access to my VPN from all other countries than my home country.

Some time ago when I loged into the USG110 I was suggested to use a wizzard to setup the geo blocking of all other countries than my home contry. I did that but it seems not to work. I have meanwhile tested it from other countries and I can login and use the VPN to connect to my home LAN.

I am not happy about that as I can see in the logfile that the VPN is under heavy attrack from countries around the world now and then. I know - none of those that try - have anything to do here as the VPN only is going to be used by my child.


Many thanks in advance.


Accepted Solution

  • zyman2008
    zyman2008 Posts: 168
    25 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    Answer ✓
    Hi  firerabbit,
    1. First, create a country address object.
    (1) Go to Object > Address/Geo IP > Address.
    (2) Click Add, in the pop-up window give a name for the object. Ex. US, DE, NL ...
    (3) Address type select GEOGRAPHY. And region select your country.

    2. Edit the default WAN to ZyWALL Security policy, change the Source Address from "any" to the country address object created in previous step.
    (1) Go to Security Policy > Policy Control. Select the rule Name "WAN_to_Device" and click Edit.
    (2) Change source from "any" to the country address object.


All Replies

  • Hi zyman2008,

    Thank you very much for your help but unfortunately I could not get it to work.

    The VPN request from remote uses port 4500 on my side.

    Have created the address object described in step 1 - "My_country".

    I now have in the Policy Control:

    Name: WAN_to_Device
    From: WAN
    To: ZyWALL
    Source: My_country
    Destination: any
    Service: Default_Allow_WAN_To_ZyWALL
    User: any
    Schedule: none
    Action: allow
    Log matched traffic: log

    I can see in the logfile that there still are category IKE traffic from outside.

    Any suggestions?

    Thanks.






  • zyman2008
    zyman2008 Posts: 168
    25 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    edited January 25
    Hi @firerabbit
    My USG110 4.73 works fine with the GeoIP settings.

    Maybe you can using filter in Policy control page to check if any other rule allow the UDP 500, 4500 traffic to your USG.

     
  • Hi zyman2008,
    found another rule by using the filtering you suggested.
    Now it works !!
    Thank you so much for your time and help. Highly appreciated.

Security Highlight