Re: Filter IPSec Access to Public Interface on Concentrator

mwadam · ‎09-07-2005

We are using a concentrator for VPN Access into the network. We have modified the public filter so that only certain IP Addresses are allowed to access the concentrator. This filter is the default public filter on the public interface. This filter works great for L2TP/PPTP type connections, but does not block an IPSec connection. We have tried applying filters to the IPSec group itself but I believe this filter is to restrict access to devices once connected. I have read that the public interface filter will only block non-encrypted connections, which would explain our scenario. Whether this is fact or not what is the best way to restrict access to the public interface of the concentrator when the connection would be coming in IPSec. The customer is a large financial institution and would like this extra bit of security in case the connection information is compromised.

Thanks!!!

Adam

rating_is_vital · ‎09-07-2005

Hi,

The public interface of the cvpn is in fact the VPN termination point, so I'm a bit confused about the objective "To restrict access to the public interface of the concentrator when the connection would be coming in IPSec"

mwadam · ‎09-07-2005

The customer has concerns that if there IPSec group name and passwords were compromised that they could limit the users that were allowed to connect. So, in addition to supposedly being authorized to use the connection because they have the right credentials they want to add an additional step of assurance that the connection is coming from a known source (host ip address). I realize this is a bit of overkill, but the request has been made and I am researching in hopes of either finding an answer, or letting them know that it is not possible and that it is time to move to RSA.

Thanks!!!

Adam