VPN client to site and geo ip

mlik
mlik Posts: 25  Freshman Member
First Comment Fourth Anniversary

I need help planning the implementation of firewalls and VPN connections on USG Flex 100 devices. I have 3 locations and I will create site-to-site VPN connections between them. Additionally, I need to create a client-to-site connection for mobile devices, e.g. laptop, macbook or iPhone. I understand that I have 2 options to choose from here. I create a client-to-site VPN connection to the selected point and configure routing for the remaining points. The second option is to create a separate VPN connection with each point. The disadvantage of the first option is that if there is no access to this - selected location, I will not connect to any other. The disadvantage of the second option is that I can only have 1 active connection. What is your practice in this example? I have a problem when it comes to connecting mobile clients from abroad. I usually implement geo IP rules that block connections from all countries except my own. How do I configure the geo IP so that it does not block devices that connect on a client-to-site basis that will try to connect from abroad.

All Replies

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    So each site LAN IP/subnet should be different then for Remote Access (Server Role) to then route if needed to other site to site.

    As for geo IP when you limit to a country for port 500, 4500 and protocol 50 then you can't have any one from abroad but one thing you can do is have them setup DDNS then you allow that FQDN for them ports

  • mlik
    mlik Posts: 25  Freshman Member
    First Comment Fourth Anniversary

    it is known that the client will have an IP address set by me. Is it not possible to configure the firewall so that it does not include specific addresses for geo ip? I do not want to play with DDNS.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    If you know the client WAN IP you can firewall that IP to be allowed

  • mlik
    mlik Posts: 25  Freshman Member
    First Comment Fourth Anniversary
    edited July 25

    I won't know the WAN address because it will change. I thought about the local address assigned when the client connects to the site. That's my mistake. So what remains is to use DDNS and pass the name for the appropriate ports? Is this your practice in such situations? DDNS for iPhone, Mac and Laptop, I can't imagine this configuration. Especially since it's about configuring a connection that will be implemented once a year (e.g. on vacation). Most of the time, clients will connect in the same country and geo IP blocking won't interfere.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 25

    Its the only way really (short from allowing all) if you never know the WAN IP they connect from you can use a app to update what IP they are on or by a router with DDNS support

  • mlik
    mlik Posts: 25  Freshman Member
    First Comment Fourth Anniversary

    I'm surprised there's no other option. After all, the device that connects as a client has its own identifier, e.g. in the form of a certificate, login, password for the VPN connection. The firewall knows what kind of device it is and I'm surprised that you can't add such a device as an exception.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 25

    If you geo IP ports 500, 4500 and protocol 50 then any source IP by geo IP will be allowed along with needing VPN user, password and certificate or Pre-Shared Key log in. So lets say I'm your client abroad in the UK and your setup in France by geo IP allow how do I connect to your USG from the UK when you have blocked me? how do you allow me?

  • mlik
    mlik Posts: 25  Freshman Member
    First Comment Fourth Anniversary

    I'm a bit confused, maybe it's a translator issue. In that case, a simple solution is to unblock ports 500, 4500 in geo ip. I suspect a danger related to allowing access, but there are certificates, logins and passwords? By the way, how do you create this type of rule?

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 26

    By a Remote Access (Server Role) either IKEv1 L2TP over IPSec or IKEv2 you can use a Pre-Shared Key or certificate along with the option to do user and password login so if you allow from anywhere for ports 500, 4500 and protocol 50 anyone trying to login needs to know Pre-Shared Key or certificate along with the option to do user and password the point of geo ip is to limit attempts from other countries or ones you trust. 

Security Highlight