AnsweredHot!Blocking Inbound IPSEC Attempts

Author
tripley
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/19 13:52:51
  • Status: offline
2019/08/07 08:41:56 (permalink)
0

Blocking Inbound IPSEC Attempts

Hello,
 
We have a 61E connected to the Internet that is getting random attempts at building an IPSEC tunnel from random IP's.  I want to block this traffic.
 
I've followed this tech note: https://kb.fortinet.com/kb/viewContent.do?externalId=FD36318&sliceId=1
 
I applied this local-in-policy:
 
FGT-61E # show firewall local-in-policy 
config firewall local-in-policy
    edit 1
        set intf "wan2"
        set srcaddr "all"
        set dstaddr "all"
        set service "ISAKMP"
        set schedule "always"
    next
end

 
However I'm still getting IPSEC connection attempts in the log.
 

Message meets Alert condition
date=2019-08-06 time=17:49:15 devname=<MY_DEVICE> devid=<MY_ID> logid="0101037131" type="event" subtype="vpn" level="error" vd="root" eventtime=1565135355014992767 tz="-0600" logdesc="IPsec ESP" msg="IPsec ESP" action="error" remip=<UNKNOWN_IP> locip=<MY_IP> remport=33225 locport=500 outintf="wan2" cookies="N/A" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="esp_error" error_num="Received ESP packet with unknown SPI." spi="47455420" seq="2f204854"

 
Any idea why the local-in-policy didn't work?  Anything else I can try?
 
#1
Toshi Esumi
Expert Member
  • Total Posts : 1623
  • Scores: 137
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Blocking Inbound IPSEC Attempts 2019/08/07 15:13:58 (permalink) ☼ Best Answerby tripley 2019/08/08 13:25:49
0
It's not UDP 500 you configured but IP protocol number 50=ESP packets that the log is saying. Your FGT is blocking them already anyway because the SPI doesn't match any existing tunnels. 
If you don't have any IPsec existing on the FGT, you can try blocking "ESP" with the local-in-policy that might stop the log. Or not, I'm not sure.
#2
Jose Bavaresco
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/08 08:13:49
  • Status: offline
Re: Blocking Inbound IPSEC Attempts 2019/08/08 08:36:23 (permalink)
0
Hello tripley,
 
maybe you answer is in this post: https://forum.fortinet.com/tm.aspx?m=166107 
 
I recommend you configure a DoS policy to configure your WAN interface for only the services you need. Try to be the most invisible to the public.
 
cheers
#3
tripley
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/19 13:52:51
  • Status: offline
Re: Blocking Inbound IPSEC Attempts 2019/08/08 09:05:25 (permalink)
0
Hi Toshi,
 
I added another rule to my local-in-policy to block ESP packets as well.  It's been a few hours and I haven't seen this error yet.  I'll let you know if that solved my issue.
 
Thanks for the suggestion!
#4
emnoc
Expert Member
  • Total Posts : 5209
  • Scores: 339
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Blocking Inbound IPSEC Attempts 2019/08/08 12:15:22 (permalink)
0
Good, you should maybe add  AH proto51 also if you see any flare up from that. keep in mind the local-in block the traffic but the traffic already blocked by the implicit nature if the FW
 
 
Ken Felix

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#5
tripley
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/19 13:52:51
  • Status: offline
Re: Blocking Inbound IPSEC Attempts 2019/08/08 13:25:33 (permalink)
0
It looks like blocking ESP packets was the trick.  I haven't had an alert all day, where I would normally get one very 1 to 2 hours.
 
I will look into DoS policies too.  
 
Thanks!
#6
emnoc
Expert Member
  • Total Posts : 5209
  • Scores: 339
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Blocking Inbound IPSEC Attempts 2019/08/08 16:10:01 (permalink)
0
DoS policies will probably no help if no match policyid allows the traffic. Also keep in mind ESP is not UDP or TCP nor are ports in use.
 
Ken Felix

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#7
Jump to:
© 2019 APG vNext Commercial Version 5.5