General rule possible to allow IPSec VPN traffic only, from everywhere? I am also using GeoIP

Zyxel_USG_User

Hello,

I have the newest firmware installed on a USG20W-VPN and regularly update the GeoIP database on the firewall.

I use only IPSec VPNs, with SecuExtender client from MacOS and Win11, native IPSec VPN from iPhone, and Strongswan IPSec VPN from Android. All works- so far so good.

It is no rocket science for IPSec VPN: it is simply internet access from abroad via trusted and controlled environment, no tunnel splitting, no AD, no fancy access to local servers etc.

I use GeoIP to block all traffic by default from selected countries. Now, sometimes we travel businesswise in countries we permanently block access from with GeoIP. Therefore, before traveling I need to inactivate the specific rule, then re-activate it after returning to base. A bit cumbersome if several people travel simultaneously to several countries…. but it works like that.

I wanted to create a simpler rule allowing by default only IPSec VPN traffic from everywhere

Basically: I want to use IPSec VPN from everywhere, even from the via GeoIP blocked countries or regions or continents- without disabling the otherwise forbidden access from the selected countries blocked using GeoIP. then re-enabling the GeoIP blocking all access from that country.

To do so, I did the following.

I created a service group, let's call it VPNServiceGroup where I placed the predefined services/objects:

AH (which is IP protocol number 51 by default definition in the firewall)

ESP (IP proto 50- by default definition)

IKE (UDP starting 500, no ending port- by default definition)

NATT (UDP starting 4500, no ending port- by default definition)

I left all the protocols above with the default values.

Then, I created and placed above/before all the rules containing GeoIP blocking countries, IP ranges etc.

The rule is called let’s say “let IPSec VPN pass through” and it contains, from top to bottom:

From: any

To: ZyWall

Source: any

Destination: own fixed public IP

Service: the above defined service group

Device: any

User: the IPSec VPN users group, where all the allowed users are included

Schedule: none

Action: allow

[…]

I tried this setup from two countries already, and it does not work. I have to inactivate the country in order to be able to use IPSec VPN to the infrastructure.

I tried also the option From: WAN, but it did not work either so I decided to broaden the possibility so I changed From: to any. Still does not work.

What do I need to change, or check in order to make this "IPSec VPN access from everywhere" work?

Thanks for your help.

PeterUK

Just set the policy control rule you made with User any you can't set that with users as the connection has not been made first to then know the user

PeterUK

You can't use user setting only after the VPN connects can you use user option to control way that user needs to go.

For a better option to limit VPN connection you can have the user setup DDNS then you can make Source for that FQDN

Zyxel_USG_User

Hi PeterUK, I am not sure I understand what you wrote.

Let me try and rephrase what I aim at.

We block by default many countries, regions, continents. We occasionally travel business-wise to some of those blocked countries.

We want that at the same time that the IPSec VPN will workall the time, from anywhere.

ONLY IPSec VPN needs to be allowed and to work.

Until now: we manually set the rule for the country where I travel to inactive. When I come back, we activate the rule again.

I thought that a new rule placed BEFORE all other blocking rules overrides and allows the IPSec VPN.

That seems not to work.

How do I reach this goal?

The IPSec VPN is very straightforward: only internet connection via firewall, group of separate users.

No tunnel splitting, no automations, no AD nothing special after the IPSec VPN tunnel is built.

PeterUK

Just set the policy control rule you made with User any you can't set that with users as the connection has not been made first to then know the user

Zyxel_USG_User

Got it now! Cheers!

Zyxel_USG_User

https://community.zyxel.com/en/discussion/comment/80747#Comment_80747

Give PeterUK a medal! 😊

Cheers mate, even if it is logical I would not have nailed it without your support.

If all conditions are met, the rule is applied. As soon as one condition is not met, the rule is discarded and the next one is analysed.

In the bigger picture, only the VPN users shall use the VPN- duh…. this is what I was thinking, but ignoring that if any condition is not met, the whole rule is ignored/discarded and the next one is processed.

Zyxel_USG_User

Hi all, I need to fix the following pattern.

I use IPSec VPN from dynamic addresses. I implemented the rule above, letting all clients connect using the IPSec VPN protocols and ports suite. Now, the ADP moans constantly even set on 'light' sensitivity, about UDP 500/4500 flooding which is mostly legit IPSec VPN traffic.

How can I best solve this problem? I was thinking to enter the IPSec VPN protocols and ports suite into exclusions for the ADP and keep the ADP sensitivity to 'medium' as desired. does that make sense, or which best practices do you recommend?

I do not think that is recommendable to exclude entirely the UDP flooding from ADP.

Any experiences and suggestions to fix this?

PeterUK

Really its a fault with the ADP for UDP flooding because the ADP should detect that there is two way traffic for it to be legit however maybe that is in place and the threshold pkt/sec is too low so you should see about setting this higher.

Zyxel_Melen

Hi @Zyxel_USG_User

This issue should be resolved before. May I confirm the issue is happening on the USG20W-VPN with latest firmware version? If so, could you help to provide a remote access for us to check? You may create a remote access security policy, or a remote PC with TeamViewer or AnyDesk for us.

Zyxel_USG_User

Hi there,

I confirm firewall model, confirm latest firmware version. Due to the time zones and frequent travel etc, the remote access proposal cannot work. Please suggest other methods- logs, debug, …. as soon as I can will post the ADP setting details currently set here or via mail message.