This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP over IPsec and restricting to certain IP's

I am setting up a L2TP over IPsec VPN for remote access into my network. I've noticed that it just works without configuring any firewall rules, which is great. But I would prefer if I were able to restrict this to certain IP's, IP ranges or subnets. Is this possible on Sophos UTM? I noticed that port UDP/500 VPN (IKE) is detected by Shodan against my server. I'd prefer if it were not open to the world to detect. Is it possible to restrict this? How does it work with the firewall?

I can see things in the IPSec log which I suppose suggests to me that its handling the firewall itself, e.g. below.

2019:11:23-00:11:11 sophos pluto[12285]: | route_and_eroute: firewall_notified: true
2019:11:23-00:11:11 sophos pluto[12285]: | route_and_eroute: instance "L_REF_IpsL2tForVpn_0"[1] x.x.x.x:4500, setting eroute_owner...

I've not setup a VPN inbound before so a bit to learn I suppose :)



This thread was automatically locked due to age.
Parents
  • If you have just a few IPs that should be allowed to make a connection, another option is to use NoNAT and a blackhole DNAT.  That would look like:

    1. NoNAT : {group of allowed IPs} -> IPsec -> External (Address)
    2. DNAT :  Internet IPv4 -> IPsec -> External (Address) : to {240.0.0.1}

    You could use SSL VPN with One-time Passwords.

    In any case, having ports open for either isn't much of an exposure if you have strong access control.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson,

    I see this is a forum post for the UTM, but should this workaround also work on the XG?  I've tried this same thing and the XG totally ignores the firewall rules I created.  What I'm trying to achieve is allowing the two VPNs I have set up to work, but have the XG ignore all other probes on UDP port 500.  We have to do PCI scans every month and we fail each time because of port 500 being open.  It wouldn't be as big of a deal if we only had one location, but we have 7.  That means 7 separate disputes have to be filed each time.  It's a hassle.  If anyone else has any suggestions, I would greatly appreciate it.

  • Hey Nathan,

    Grumble!  When a PCI scanning provider can't remember the resolution from one scan to the next, it's time to change the provider.  You might consult Approved Scanning Vendors.

    That said, the same approach should work with XG.  Please ask the question in the Firewall and Policies forum in the XG Community so that the answer will be easy to find by others with a similar problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hey Nathan,

    Grumble!  When a PCI scanning provider can't remember the resolution from one scan to the next, it's time to change the provider.  You might consult Approved Scanning Vendors.

    That said, the same approach should work with XG.  Please ask the question in the Firewall and Policies forum in the XG Community so that the answer will be easy to find by others with a similar problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data