Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tripley
New Contributor

Blocking Inbound IPSEC Attempts

Hello,

 

We have a 61E connected to the Internet that is getting random attempts at building an IPSEC tunnel from random IP's.  I want to block this traffic.

 

I've followed this tech note: https://kb.fortinet.com/kb/viewContent.do?externalId=FD36318&sliceId=1

 

I applied this local-in-policy:

 

FGT-61E # show firewall local-in-policy 
config firewall local-in-policy
    edit 1
        set intf "wan2"
        set srcaddr "all"
        set dstaddr "all"
        set service "ISAKMP"
        set schedule "always"
    next
end

 

However I'm still getting IPSEC connection attempts in the log.

 

Message meets Alert condition

date=2019-08-06 time=17:49:15 devname=<MY_DEVICE> devid=<MY_ID> logid="0101037131" type="event" subtype="vpn" level="error" vd="root" eventtime=1565135355014992767 tz="-0600" logdesc="IPsec ESP" msg="IPsec ESP" action="error" remip=<UNKNOWN_IP> locip=<MY_IP> remport=33225 locport=500 outintf="wan2" cookies="N/A" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="esp_error" error_num="Received ESP packet with unknown SPI." spi="47455420" seq="2f204854"

 

Any idea why the local-in-policy didn't work?  Anything else I can try?

 

1 Solution
Toshi_Esumi
Esteemed Contributor III

It's not UDP 500 you configured but IP protocol number 50=ESP packets that the log is saying. Your FGT is blocking them already anyway because the SPI doesn't match any existing tunnels. 

If you don't have any IPsec existing on the FGT, you can try blocking "ESP" with the local-in-policy that might stop the log. Or not, I'm not sure.

View solution in original post

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor III

It's not UDP 500 you configured but IP protocol number 50=ESP packets that the log is saying. Your FGT is blocking them already anyway because the SPI doesn't match any existing tunnels. 

If you don't have any IPsec existing on the FGT, you can try blocking "ESP" with the local-in-policy that might stop the log. Or not, I'm not sure.

tripley

Hi Toshi,

 

I added another rule to my local-in-policy to block ESP packets as well.  It's been a few hours and I haven't seen this error yet.  I'll let you know if that solved my issue.

 

Thanks for the suggestion!

emnoc
Esteemed Contributor III

Good, you should maybe add  AH proto51 also if you see any flare up from that. keep in mind the local-in block the traffic but the traffic already blocked by the implicit nature if the FW

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
tripley

It looks like blocking ESP packets was the trick.  I haven't had an alert all day, where I would normally get one very 1 to 2 hours.

 

I will look into DoS policies too.  

 

Thanks!

emnoc
Esteemed Contributor III

DoS policies will probably no help if no match policyid allows the traffic. Also keep in mind ESP is not UDP or TCP nor are ports in use.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Jose_Bavaresco
New Contributor

Hello tripley,

 

maybe you answer is in this post: https://forum.fortinet.com/tm.aspx?m=166107 

 

I recommend you configure a DoS policy to configure your WAN interface for only the services you need. Try to be the most invisible to the public.

 

cheers

Labels
Top Kudoed Authors