This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec traffic originate from an authenticated source

I have recently been debating split tunneling. For years it has been best practice to disable split tunneling.
We have a requirement to block people from using Internet Connection Sharing in an office environment to turn their laptop into a VPN tunnel for everyone else in the office. We have identified a few situations where this is happening. The first response it to disable split tunneling, but I read a blog post from Tom Shinder stating that the Microsoft DirectAccess with UAG solution will require that IPSec traffic originate from an authenticated source thereby satisfying our requirement.
Is it possible to create a rule on the ASG where IPSec traffic must originate from an authenticated source?

This thread was automatically locked due to age.

0 BAlfson over 14 years ago
It sounds like you have an over-broad packet filter rule; something like 'Internal (Network) -> Any -> Any : Allow. I think I'd replace that with some specific rules, but a quick-fix is to create two new rules:

[LIST=1]
{Allowed internal IPsec hosts group} -> IPsec -> Any : Allow
Internal (Network) -> IPsec -> Any : Drop
[/LIST]

Of course, those must be above your broad rule.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 14 years ago

Hi Bob, I think he's worried that an IPSec client might have ICS on and then NAT in traffic from the REMOTE LAN... since it's NAT'd by the client, I don't think a PF rule would help.

Barry
Cancel
Vote Up 0 Vote Down

Cancel