Ive build a ipsec tunnel and enable remote management and ping. But i can access the firewall and ping it by it’s WAN IP Address and i don’t want that. How can i prevent that and allow access from the ipsec vpn tunnel ?
Thanks !
Hello,
I assume you are refering to remote HTTP/SSH access in System → Administration → Access control. If so, there should be no need to enable remote access on RUT955. If you have IPSec configured, you should be able to access the device through IPSec connection using IP addresses you used in the IPSec configuration (local/remote subnets). Therefore, just disable remote access. Make sure that the Firewall IPSec rules that are automatically created when you enable IPSec, are actually enabled (rules in Network → Firewall → Port Forwards / Traffic Rules / NAT rules).
Kind Regards,
Ive disable remote access (ssh and https and http) and i can’t connect from the remote peer network to the RUT955 firewall private ip anymore
Ive disable also remote icmp requests and i can’t ping the RUT955 firewall also
Here is what ive got in the firewall port forwards
Note that i can ping a device that is in the RUT955 lan from remote peer successfully
#Ping the laptop behind RUT955 lan interface from pc 192.168.xx.xx
root@RUT955:~# tcpdump host 192.168.xx.xx and icmp -i any -n
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:55:36.284747 IP 192.168.xx.xx > ti16.lan: ICMP echo request, id 5, seq 10845, length 40
09:55:36.286078 IP ti16.lan > 192.168.xx.xx: ICMP echo reply, id 5, seq 10845, length 40
09:55:37.294370 IP 192.168.xx.xx > ti16.lan: ICMP echo request, id 5, seq 10846, length 40
09:55:37.295682 IP ti16.lan > 192.168.xx.xx: ICMP echo reply, id 5, seq 10846, length 40
09:55:38.302566 IP 192.168.xx.xx > ti16.lan: ICMP echo request, id 5, seq 10847, length 40
09:55:38.303819 IP ti16.lan > 192.168.xx.xx: ICMP echo reply, id 5, seq 10847, length 40
09:55:39.310765 IP 192.168.xx.xx > ti16.lan: ICMP echo request, id 5, seq 10848, length 40
09:55:39.312220 IP ti16.lan > 192.168.xx.xx: ICMP echo reply, id 5, seq 10848, length 40
#Ping the firewall private ip from pc behind remote peer 192.168.xx.xx
root@RUT955:~# tcpdump host 192.168.xx.xx and icmp -i any -n
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
09:59:39.913442 eth1 In IP 192.168.xx.xx > 172.16.95.1: ICMP echo request, id 5, seq 10889, length 40
09:59:40.919681 eth1 In IP 192.168.xx.xx > 172.16.95.1: ICMP echo request, id 5, seq 10890, length 40
09:59:41.925894 eth1 In IP 192.168.xx.xx > 172.16.95.1: ICMP echo request, id 5, seq 10891, length 40
09:59:42.934304 eth1 In IP 192.168.xx.xx > 172.16.95.1: ICMP echo request, id 5, seq 10892, length 40
#Tunnel status
root@RUT955:~# ipsec status
Security Associations (1 up, 0 connecting):
BLV-BLV_c[2]: ESTABLISHED 30 minutes ago, 66.187.xx.xx[66.187.xx.xx]…66.187.xx.xx[66.187.xx.xx]
BLV-BLV_c{1}: REKEYED, TUNNEL, reqid 1, expires in 29 minutes
BLV-BLV_c{1}: 172.16.95.0/24 === 192.168.xx.0/24
BLV-BLV_c{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c4a38a95_i 2cda278c_o
BLV-BLV_c{2}: 172.16.95.0/24 === 192.168.xx.0/24
root@RUT955:~#
Hello,
Could you please try adding the following traffic rule?:
And in advance rule settings make sure to add -m policy --dir in --pol ipsec as extra arguments:
Let me know about the results.
Kind Regards,
ok thanks it’s working like that can you explain me a little bit more what it does 
Thanks
Can you check my other case and help me with it
Thanks !
Hello,
IPSec is not really a VPN, so it is different than other VPNs. It does not have its own interface or a firewall zone. It basically matches IPSec traffic and uses the WAN interface to send the encrypted traffic. So in this case, you have created a firewall rule that allows all traffic from WAN that matches IPSec policies (in extra arguments) into the RUT955 itself. So with this rule, only IPSec traffic from WAN should be allowed to RUT955 itself (device input).
I’ll take a look at your other case.
Kind Regards,
This topic was automatically closed after 15 days. New replies are no longer allowed.