topic Re: IPsec tunnel required rules in SASE and Remote Access

IPsec tunnel required rules

Brianpiraty_Ale — Wed, 28 Nov 2018 23:42:22 GMT

1. for establishing IPsec tunnel do we need to have a rule to allow IKE traffic between center gateway and peer gateway?

2. is the "accept all encrypted traffic on "both center and satellite gateways need to be checked" on Encrypted traffic?

Re: IPsec tunnel required rules

AlekseiShelepov — Thu, 29 Nov 2018 09:55:54 GMT

You already asked similar questions here previously - IPsec tunnel encryption.

Enable viewing on Implied rules in your Dashboard and see if the traffic for VPN tunnel would be accepted. Most probably you already have rule like this:

It is enabled by "Accept control connections" parameter in Global Properties. But it allows IKE communications only to this gateway itself, not to other gateways through it.

Enabling "accept all encrypted traffic" will allow all traffic trough this VPN tunnel, it has nothing to do with establishing tunnel. If you check it you will not be able to control what traffic from or to the peer is allowed.

See this comment: Site-to-Site VPN access restriction

Re: IPsec tunnel required rules

Brianpiraty_Ale — Thu, 29 Nov 2018 15:01:11 GMT

I don't checked the accept control connections on the global properties. I don't see a rule as mentioned by you on implied rules

But I see one look like below.

source destination VPN services action

EncDomain.HubGws@VPNcommunity Enc.domain.spokesGws@VPNcommunity any EncryptedSerivces@vpncommunity encrypt &continue

Re: IPsec tunnel required rules

AlekseiShelepov — Thu, 29 Nov 2018 15:25:35 GMT

So, you have R80.X version.

As I understand, this type of rule is used to encrypt traffic between encryption domains of peers (inside VPN tunnel) only, but does not act as an access rule.

If you don't have implied rules enabled by "Accept control connections" in Global Properties, then you need to configure all management and control access manually, including traffic for establishing VPN tunnel.

Re: IPsec tunnel required rules

Brianpiraty_Ale — Thu, 29 Nov 2018 19:39:34 GMT

VPN works fine. I see that tunnel established and the traffic encrypted between the encryption domain. But I don't have any explicit rule to allow IKE connections!

still I need to create a rule?

Re: IPsec tunnel required rules

AlekseiShelepov — Thu, 29 Nov 2018 21:10:00 GMT

If it works, why do you need to add rules then? I thought that you're trying to plan for a new VPN tunnel or to find out why it is not working.

Could you check in logs by which rule it is allowed? To your gateway, IKE traffic.

Do you really have all implicit rules disabled?

Re: IPsec tunnel required rules

Brianpiraty_Ale — Fri, 30 Nov 2018 21:38:49 GMT

in the log it says global security policy.

But I dnt really see any global rules on MDM