Firewalling IPsec tunnel traffic?



  • This is somewhat of a newbie question. I just don't know much about setting up IPsec because I usually use OpenVPN, both for roadwarrior and for site-to-site.

    With OpenVPN you just route whatever traffic over the VPN tunnel you want and block what you don't want. The tunnel works just like any other network interface. If I understand correctly, route based IPsec (VTI) works very similar to OpenVPN.

    However, I often get the impression that "classic" policy based IPsec tunnels are setup without any firewalling. Basically connecting two LANs as you would with a cable. Is that the case? Isn't it possible to put rules on the traffic that is allowed in and out of the tunnel?



  • I think this is going to be a "yes but...." type of answer. I think it's going to depend on what you're using as your vpn endpoints and how the network is configured at either end of the tunnel.....

    Some quick reading here : https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/policy-based-route-based-vpn-comparing.html leads me to believe that your firewalling is integral to the policy-based vpn's creation... basically that your firewall rule action would be "ipsec" instead of allow/deny/ etc



  • I use rules to limit traffic to HTTP and some others in an ipsec tunnel that connects some handheld scanners and a thermal label printer at a remote warehouse to our ERP system.



  • The rules are setup separate from the Site to Site VPN. That's what the firewall rules are for, you can limit traffic between the networks same as you would limit anything on a PC or a WAN TO LAN connection. It is all about the zones.



  • @Pete-S said in Firewalling IPsec tunnel traffic?:

    However, I often get the impression that "classic" policy based IPsec tunnels are setup without any firewalling. Basically connecting two LANs as you would with a cable. Is that the case? Isn't it possible to put rules on the traffic that is allowed in and out of the tunnel?

    IPSec and OpenVPN are the same general kind of VPN. IPSec isn't more classic than SSL, they are both very old, but more recent implementations of the style replacing the older PPTP type tunnels. Both do all the same models and approaches. OpenVPN is meant to do what you describe just like IPSec is. IPSec is meant to do road warrior setups, just like you use OpenVPN for. They are essentially interchangeable in any practical sense.

    The biggest differences are that IPSec tends to be more painful to set up, but is more performant. OpenVPN tends to be easier, but requires more system overhead. IPSec is more identifiable on the network. OpenVPN masqueades as secure web traffic (e.g. https)



  • Thanks for your input.

    So in summary, you can accomplish the same thing, set up a VPN tunnel and limit traffic over it, with both IPsec and OpenVPN but in slightly different ways.



  • @Pete-S said in Firewalling IPsec tunnel traffic?:

    So in summary, you can accomplish the same thing, set up a VPN tunnel and limit traffic over it, with both IPsec and OpenVPN but in slightly different ways.

    Correct. But "slightly different" is so slight, that it is just the tools used. Like can you use a cardboard box or tupperware to transport your marbles from point A to point B? Yes. Both "work the same" as in that they are boxes that you place things in. What is different is just one has a plastic top that you "peel" open, the other has interleaving flaps. The differences are in how you "set them up", but not in what they do.

    So in that way they vary like Windows and Linux vary. Both work in the same places, do the same things, but they just have different configuration commands and interfaces.


Log in to reply