General rule possible to allow IPSec VPN traffic only, from everywhere? I am also using GeoIP

Zyxel_USG_User · October 7

Hello,

I have the newest firmware installed on a USG20W-VPN and regularly update the GeoIP database on the firewall.

I use only IPSec VPNs, with SecuExtender client from MacOS and Win11, native IPSec VPN from iPhone, and Strongswan IPSec VPN from Android. All works- so far so good.

It is no rocket science for IPSec VPN: it is simply internet access from abroad via trusted and controlled environment, no tunnel splitting, no AD, no fancy access to local servers etc.

I use GeoIP to block all traffic by default from selected countries. Now, sometimes we travel businesswise in countries we permanently block access from with GeoIP. Therefore, before traveling I need to inactivate the specific rule, then re-activate it after returning to base. A bit cumbersome if several people travel simultaneously to several countries…. but it works like that.

I wanted to create a simpler rule allowing by default only IPSec VPN traffic from everywhere

Basically: I want to use IPSec VPN from everywhere, even from the via GeoIP blocked countries or regions or continents- without disabling the otherwise forbidden access from the selected countries blocked using GeoIP. then re-enabling the GeoIP blocking all access from that country.

To do so, I did the following.

I created a service group, let's call it VPNServiceGroup where I placed the predefined services/objects:

AH (which is IP protocol number 51 by default definition in the firewall)

ESP (IP proto 50- by default definition)

IKE (UDP starting 500, no ending port- by default definition)

NATT (UDP starting 4500, no ending port- by default definition)

I left all the protocols above with the default values.

Then, I created and placed above/before all the rules containing GeoIP blocking countries, IP ranges etc.

The rule is called let’s say “let IPSec VPN pass through” and it contains, from top to bottom:

From: any

To: ZyWall

Source: any

Destination: own fixed public IP

Service: the above defined service group

Device: any

User: the IPSec VPN users group, where all the allowed users are included

Schedule: none

Action: allow

[…]

I tried this setup from two countries already, and it does not work. I have to inactivate the country in order to be able to use IPSec VPN to the infrastructure.

I tried also the option From: WAN, but it did not work either so I decided to broaden the possibility so I changed From: to any. Still does not work.

What do I need to change, or check in order to make this "IPSec VPN access from everywhere" work?

Thanks for your help.

PeterUK · October 8

You can't use user setting only after the VPN connects can you use user option to control way that user needs to go.

For a better option to limit VPN connection you can have the user setup DDNS then you can make Source for that FQDN

Zyxel_USG_User · October 9

Hi PeterUK, I am not sure I understand what you wrote.

Let me try and rephrase what I aim at.

We block by default many countries, regions, continents. We occasionally travel business-wise to some of those blocked countries.

We want that at the same time that the IPSec VPN will workall the time, from anywhere.

ONLY IPSec VPN needs to be allowed and to work.

Until now: we manually set the rule for the country where I travel to inactive. When I come back, we activate the rule again.

I thought that a new rule placed BEFORE all other blocking rules overrides and allows the IPSec VPN.

That seems not to work.

How do I reach this goal?

The IPSec VPN is very straightforward: only internet connection via firewall, group of separate users.

No tunnel splitting, no automations, no AD nothing special after the IPSec VPN tunnel is built.

PeterUK · 10:31AM

Just set the policy control rule you made with User any you can't set that with users as the connection has not been made first to then know the user

General rule possible to allow IPSec VPN traffic only, from everywhere? I am also using GeoIP

All Replies

Categories

Security Help Center