Technical Tip: ESP traffic handling with respect to local-in policies on a FortiGate Firewall
Description
This article describes how local-in policies work with ESP packets destined to a local IP on the FortiGate.
Scope
Unknown SPI logs are observed on a FortiGate for IP addresses that are not valid IPSec peers for the FortiGate.
Solution
It is possible that the FortiGate receives illegitimate ESP traffic and the FortiGate logs it in the VPN events, for example:
date=2024-08-13 time=20:08:54 eventtime=1723604934176251061 tz="-0700" logid="0101037131" type="event" subtype="vpn" level="error" vd="root" logdesc="IPsec ESP" msg="IPsec ESP" action="error" remip=10.x.x.140 locip=172.x.x.143 remport=4500 locport=500 outintf="port1" cookies="N/A" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="esp_error" error_num="Received ESP packet with unknown SPI." spi="2c65ad60" seq="00000007" fctuid="N/A" advpnsc=0
Administrators might be concerned about illegitimate traffic causing VPN error logs and might wish to block ESP traffic from certain or all IP addresses using a local-in policy, for example:
config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "Valid VPN Peer IP addresses"
set dstaddr "all"
set action accept
set service "ESP" "IKE"
set schedule "always"
next
edit 2
set intf "wan1"
set srcaddr "all"
set dstaddr "all"
set service "ESP" "IKE"
set schedule "always"
next
end
However, by default, the ESP traffic will not be blocked by the local-in policy. It will be checked for a valid SPI, and if the FortiGate does not have a matching SPI, it is logged as above and dropped (the log is rate-limited).
Notably, IKE traffic will get evaluated by the local-in policy and get blocked and logged under Local traffic logs, if configured so. (In the config example above, IKE traffic matching rule 2 will get dropped by the local-in policy).
Behavior change 1:
Starting with FortiOS v7.2.4, a new command was introduced:
config system settings
set detect-unknown-esp { enable | disable }
end
- enable: This is the default, and there is no change in behavior.
- disable: If changed to disable, the ESP packets will be evaluated by the local-in policy.
This only works for ESP packets, and not UDP-encapsulated ESP packets.
The configuration can be done per-VDOM.
Behavior change 2:
Starting with FortiOS version 7.6.0, UDP-encapsulated or TCP-encapsulated ESP packets can also be blocked by local-in policies, in addition to regular (unencapsulated) ESP packets.
Additional note:
ACLs (Access Control Lists) can also be used to block required ESP traffic (if the platform supports it). More details on this are available in the related articles below.
Starting from FortiGate v7.6.0, the Local-in-Policy can also be configured in the GUI. Refer to this KB article: Creating a Local-In policy (IPv4 and IPv6) on GUI.
Related documents:
Blocking unwanted IKE negotiations and ESP packets with a local-in policy