Technical Tip: Allow IPsec VPN ports and protocol access to specific IP addresses only

This article describes how to allow IPsec VPN port 4500,500 and ESP protocol access to specific IP addresses only.

For Instance:

IPsec VPN site to site with the remote peer of 10.10.10.1 which opened IKE port 500, NAT-T port 4500, and protocol ESP to all IPs on the Internet.

It will be limited to 10.10.10.1 only.

Port group can be configured from the physical interface under the Network --> Interfaces section:

- Create a firewall address object for the remote peer if not already created:

# config firewall address

    edit "RemotePeer1"

        set comment "Remote peer for VPN"

        set subnet 10.10.10.1 255.255.255.255

    next

end

- Create a rule to allow IKE and ESP from this peer on port1 (WAN interface):

# config firewall local-in-policy

    edit 0

        set intf "LAN(port1)"

        set srcaddr "RemotePeer1"

        set dstaddr "all"

        set action accept

        set service "IKE" "ESP" //"IKE" (includes ports 500 and 4500)

        set schedule "always"

    next

end

- Create a rule below to deny IKE and ESP protocols to everyone else:

# config firewall local-in-policy

    edit 0

        set intf "LAN(port1)"

        set srcaddr "all"

        set dstaddr "all"

        set service "IKE" "ESP"

        set schedule "always"

    next

end

Now, the FortiaGte will only answer to this remote peer 10.10.10.1 on port 500 UDP for IKE, port 4500 for NAT Traversal, and to protocol ESP on Phase 2 VPN.

Note:

Local-in policy is the policy guarding/protecting the FortiGate itself, i.e., it filters/restricts access when the destination is one of the FortiGate interfaces and its IPs.

It is visible in the GUI by default starting with FortiOS 7.x, but in older versions, go to System → Feature Visibility → Local-in Policy to make it so.

The Local-in policy can only be configured in CLI, the GUI display is read-only.

Additionally, the GUI displays only default rules, created automatically by the FortiGate when appropriate services are enabled.

GUI will not show any rules you configure on CLI and thus may confuse vy thinking CLI-configured rules do not work.

It is recommended to work on CLI from the beginning.

There are separate, IPv4 and IPv6, local-in policies.

The default action in rules is denied, so when no action is visible in the show output, it means the action is denied.

Virtual IPs (VIPs) override Local-in policies:

By default, Local-in policy hits are not logged, it is necessary to set in Log Settings → Log All for denied packets to be logged.

The logs are in the Local Traffic section.

It is possible to use Workspace Mode to prevent mistakenly locking out when changing the Local-in policy.