Description
This article describes how to configure Dial-UP VPN with group based firewall policies to restrict network access to the user group defined in firewall policies.
Solution
From GUI:
1) Once the VPN Dial up tunnel is created, please change the User Group to “Inherit from Policy”
- Go to VPN -> IPsec -> Tunnels and edit the tunnel.
- Configure User group as 'Inherit from Policy'.
From CLI:
1. Configure the VPN tunnel and make sure that ‘set xauthtype auto’ is configured and there is no user group configured.
This article describes how to configure Dial-UP VPN with group based firewall policies to restrict network access to the user group defined in firewall policies.
Solution
From GUI:
1) Once the VPN Dial up tunnel is created, please change the User Group to “Inherit from Policy”
- Go to VPN -> IPsec -> Tunnels and edit the tunnel.
- Configure User group as 'Inherit from Policy'.
2) Make sure that the user group is added to the firewall policy configured for the VPN.
From CLI:
1. Configure the VPN tunnel and make sure that ‘set xauthtype auto’ is configured and there is no user group configured.
# config vpn ipsec phase1-interface2) Under the policies configure the user group:
edit "Test_vpn"
set type dynamic
set interface "port2"
set xauthtype auto
next
end
# config firewall policyIn this example the user get recognized as a member of the group 'vpn-group'; the group can be used then in the firewall policies.
edit 1
set name "vpn_policy"
set srcintf "Test_vpn"
set dstintf "port1"
set srcaddr "vpn_range"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set groups "vpn-group"
next
end
