IPSEC roadwarrioer setup with zone based firewall

GurliGebis · November 27, 2023, 9:04am

Hey,

I’m trying to setup IPSEC remote access (also known as a road warrior setup), along with the zone based firewall.
Since it isn’t a site-to-site setup, there is no VTI interface, so zones cannot be used.

So I guess I have to use the non-zone firewall rules along with the zone based rules.
How would I go about doing that?

GurliGebis · November 27, 2023, 10:36am

For other people having the same question, and searching for an answer - here is what you need:

Just push the needed prefixes through the tunnel, then no other networks can be accessed through VPN.
In the firewall, allow traffic from the LOCAL zone, since that is the source of the VPN traffic.
If SNAT is used, make sure to exclude traffic with the internal network as source and the VPN prefix as destination, since you don’t want that NAT translated.

JoeN · November 27, 2023, 6:08pm

Hi @GurliGebis,

Thank you for sharing these helpful steps! Your insights will certainly assist others encountering similar challenges. We appreciate your contribution to the community!

GurliGebis · December 22, 2023, 9:16pm

Also an important thing to remember - in the WAN to LAN zone policy:

set firewall ipv4 name WAN_TO_LAN rule 10 action ‘accept’
set firewall ipv4 name WAN_TO_LAN rule 10 description ‘Allow IPSEC traffic’
set firewall ipv4 name WAN_TO_LAN rule 10 ipsec match-ipsec
set firewall ipv4 name WAN_TO_LAN rule 10 state ‘new’

Otherwise traffic won’t flow between the LAN and IPSEC network.

system · January 21, 2024, 9:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.