IPSEC roadwarrioer setup with zone based firewall


I’m trying to setup IPSEC remote access (also known as a road warrior setup), along with the zone based firewall.
Since it isn’t a site-to-site setup, there is no VTI interface, so zones cannot be used.

So I guess I have to use the non-zone firewall rules along with the zone based rules.
How would I go about doing that?

1 Like

For other people having the same question, and searching for an answer - here is what you need:

  • Just push the needed prefixes through the tunnel, then no other networks can be accessed through VPN.
  • In the firewall, allow traffic from the LOCAL zone, since that is the source of the VPN traffic.
  • If SNAT is used, make sure to exclude traffic with the internal network as source and the VPN prefix as destination, since you don’t want that NAT translated.

Hi @GurliGebis,

Thank you for sharing these helpful steps! :pray: Your insights will certainly assist others encountering similar challenges. We appreciate your contribution to the community! :beers:

Also an important thing to remember - in the WAN to LAN zone policy:

set firewall ipv4 name WAN_TO_LAN rule 10 action ‘accept’
set firewall ipv4 name WAN_TO_LAN rule 10 description ‘Allow IPSEC traffic’
set firewall ipv4 name WAN_TO_LAN rule 10 ipsec match-ipsec
set firewall ipv4 name WAN_TO_LAN rule 10 state ‘new’

Otherwise traffic won’t flow between the LAN and IPSEC network.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.