I have a client that is internal to the network, using a GRE tunnel towards a service they need. In order for it to work, I put a rule in the firewall to give them access. It basically says from [vpn destination ip] to [internal client ip] permit via GRE. However, the user will move around the network, and have a different IP every day (it's from a dhcp scope), and the network they join will very often vary. So the only way I can give a permanent fix is changing the rule to say anything from the tunnel destination IP to ANY internal client IP, permit via GRE. I'd love to be able to lock this rule down to just allow it to 1 IP, so my question is, how do you guys deal with this scenario? Do you just allow it to all clients, or do you make them go to some sort of jump host to do their GRE tunnel; what do you do? Additionally, do you make them agree to any policy on acceptable use of the GRE tunnel to make sure your corporate data is not leaked.
No comments:
Post a Comment