VPN client to site and geo ip

mlik · July 24

I need help planning the implementation of firewalls and VPN connections on USG Flex 100 devices. I have 3 locations and I will create site-to-site VPN connections between them. Additionally, I need to create a client-to-site connection for mobile devices, e.g. laptop, macbook or iPhone. I understand that I have 2 options to choose from here. I create a client-to-site VPN connection to the selected point and configure routing for the remaining points. The second option is to create a separate VPN connection with each point. The disadvantage of the first option is that if there is no access to this - selected location, I will not connect to any other. The disadvantage of the second option is that I can only have 1 active connection. What is your practice in this example? I have a problem when it comes to connecting mobile clients from abroad. I usually implement geo IP rules that block connections from all countries except my own. How do I configure the geo IP so that it does not block devices that connect on a client-to-site basis that will try to connect from abroad.

PeterUK · July 24

So each site LAN IP/subnet should be different then for Remote Access (Server Role) to then route if needed to other site to site.

As for geo IP when you limit to a country for port 500, 4500 and protocol 50 then you can't have any one from abroad but one thing you can do is have them setup DDNS then you allow that FQDN for them ports

mlik · July 24

it is known that the client will have an IP address set by me. Is it not possible to configure the firewall so that it does not include specific addresses for geo ip? I do not want to play with DDNS.

PeterUK · July 24

If you know the client WAN IP you can firewall that IP to be allowed

mlik · July 25

I won't know the WAN address because it will change. I thought about the local address assigned when the client connects to the site. That's my mistake. So what remains is to use DDNS and pass the name for the appropriate ports? Is this your practice in such situations? DDNS for iPhone, Mac and Laptop, I can't imagine this configuration. Especially since it's about configuring a connection that will be implemented once a year (e.g. on vacation). Most of the time, clients will connect in the same country and geo IP blocking won't interfere.

PeterUK · July 25

Its the only way really (short from allowing all) if you never know the WAN IP they connect from you can use a app to update what IP they are on or by a router with DDNS support

mlik · July 25

I'm surprised there's no other option. After all, the device that connects as a client has its own identifier, e.g. in the form of a certificate, login, password for the VPN connection. The firewall knows what kind of device it is and I'm surprised that you can't add such a device as an exception.

PeterUK · July 25

If you geo IP ports 500, 4500 and protocol 50 then any source IP by geo IP will be allowed along with needing VPN user, password and certificate or Pre-Shared Key log in. So lets say I'm your client abroad in the UK and your setup in France by geo IP allow how do I connect to your USG from the UK when you have blocked me? how do you allow me?

mlik · July 26

I'm a bit confused, maybe it's a translator issue. In that case, a simple solution is to unblock ports 500, 4500 in geo ip. I suspect a danger related to allowing access, but there are certificates, logins and passwords? By the way, how do you create this type of rule?

PeterUK · July 26

By a Remote Access (Server Role) either IKEv1 L2TP over IPSec or IKEv2 you can use a Pre-Shared Key or certificate along with the option to do user and password login so if you allow from anywhere for ports 500, 4500 and protocol 50 anyone trying to login needs to know Pre-Shared Key or certificate along with the option to do user and password the point of geo ip is to limit attempts from other countries or ones you trust.

VPN client to site and geo ip

All Replies

Categories

Security Highlight

Security Help Center