Skip to end of metadata
Go to start of metadata


Description:

If a VPN connection disconnects and an attempt to initiate access to resources in the VPN network is made on the VPN responder side, the router will try to re-establish the VPN connection. However, if the router has no information about a gateway IP address at the remote side (e.g. with a dynamic IKEv2 connection using identities), the VPN re-connect will fail.

This can be prevented by creating a firewall rule that blocks data traffic to a network accessed via VPN if there is no VPN connection in place (DENY-VPN-NOT-CONNECTED). This must have a higher priority than the other firewall rules so that it takes effect first.

Additionally, the special treatment of DNS packets requires the creation of another firewall rule for DNS that is prioritized higher than the DENY-VPN-NOT-CONNECTED rule.  


Requirements:


Scenario:

  • A VPN connection is operated between a router at the headquarters and a router at a branch office.
  • The router at the headquarters has the fixed public IP address 81.81.81.1.
  • The router at the branch office has no fixed public IP address (dynamic public IP address).
  • The router at the branch office should establish the VPN connection. It is therefore the VPN initiator.
  • The router at the headquarters receives the VPN connection. It is therefore the VPN responder.


Procedure:

1) In LANconfig, open the configuration dialog for the VPN responder and switch to the menu item Firewall/QoS → IPv4 rules → Rules.

2) Click Add to create the rule for blocking VPN communication if the VPN connection is not established (DENY-VPN-NOT-CONNECTED).

3) Give it a meaningful name (in this example DENY-VPN-NOT-CONNECTED) and enter a priority that is higher than the other firewall rules (in this example priority 10). This is necessary so that this rule acts before the other rules.

4) Go to the Actions tab, mark the action REJECT and click on Delete.

5) Click Add and then on Add custom action.

6) Modify the following parameters and create the firewall rule:

  • Enable the option if not connected.
  • Enable the option for VPN route.
  • Check that the option Packet action Reject is selected.

7) Click Add to create another firewall rule to allow DNS requests.

8) Give it a meaningful name (in this example ALLOW-DNS) and enter a priority that is higher than the one set for the DENY-VPN-NOT-CONNECTED rule created in steps 3 to 6 (in this example priority 15).

9) Switch to the Actions tab, mark the action Reject; Only if not connected; Only if VPN route and click on Delete.

10) Click on Add and choose the action ACCEPT.

11) Switch to the Stations tab, under Connection source select the option connections from the following stations and click Add → LOCALNET.

12) Navigate to the Services tab. Under Protocols/target services select the option for the following protocols/target services and click Add → DNS.  

 

13) The firewall rules should appear as shown below.

14) This concludes the configuration of the firewall rules. Write the configuration back to the router.