Technical Tip: How to block Unwanted IKE Negotiations and unknown ESP/SPI Packets with Local-In Policy on FortiGate
| Description | This article explains how to use local-in policies on a FortiGate to control incoming IKE and ESP traffic. By allowing only trusted remote peers and blocking all others, it can prevent unwanted IPsec VPN negotiations. |
| Scope | FortiGate. |
| Solution | By default, FortiGate allows IKE and ESP traffic on the external interface, even if no IPsec VPN configuration exists. This behaviour can be seen in the Local-In Policies section, where the default system services include IPsec-related ports (UDP/500 and UDP/4500) set to ACCEPT. Refer to the image below.
To avoid unsolicited or potentially malicious VPN negotiations from unknown sources, it is recommended to explicitly control IPsec traffic using local-in policies.
Here is the step-by-step guide for the configuration using 198.51.100.21 as the allowed remote-peer.
Step 1: Define the Remote Peer Address. Create an address object for the trusted remote peer:
config firewall address edit "remote-peer" set subnet 198.51.100.21 255.255.255.255 next end
Step 2: Create an Address Group Excluding the Trusted Peer. Define an address group that includes all IPs except the trusted remote peer:
config firewall addrgrp edit "All_except_remote" set member "all" set exclude enable set exclude-member "remote-peer" next end
Step 3: Configure Local-In Policies. Set up local-in policies to allow IKE and ESP traffic from the trusted remote peer and deny such traffic from all other sources.
Note: Starting from FortiGate v7.6.0, local-in policy can also be configured in the GUI: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI
There are 2 options to configure the local-in policy.: Configure 2 local-in policies: The first local-in policy is to allow IKE and ESP packets from trusted remote peers, and the second local-in policy is to deny all other IPs not included on the trusted remote IPs.
Allow IKE and ESP from the Trusted Peer:
config firewall local-in-policy edit <index> set intf "wan1" next end
Deny IKE and ESP from All Other Sources:
config firewall local-in-policy edit <index> set intf "wan1" next end
A simpler method to achieve the same result as the first option is to configure a single local-in policy with the 'srcaddr-negate enable' option. This approach ensures that only the trusted remote IP addresses are allowed access.
config firewall local-in-policy edit <index> set intf "wan1" set srcaddr-negate enable <----- This will apply to all source addresses that are NOT in the specified source object or group next end
Note:
Step 4: Disable 'detect-unknown-esp' in system settings to allow ESP traffic checking against local-in policy.
config system settings set detect-unknown-esp disable end
This setting requires FortiOS v7.2.4 and later. In v7.2 and v7.4, only IP-encapsulated protocol 50 ESP traffic is affected. In v7.6.0 and later, TCP and UDP encapsulated ESP packets are also affected by this setting and can be blocked by local-in policies..
When detect-unknown-esp is enabled, the firewall will instead generate an 'unknown SPI' VPN log when dropping unrecognized ESP traffic.
Step 5: Verify the configuration. Use the following debug commands to verify that the local-in policies are working as expected:
diagnose debug flow filter dport 500
Monitor the debug output to ensure that only the trusted remote peer IP 198.51.100.21 can initiate IKE traffic successfully.
Related articles: Technical Tip: SSL VPN tunnel mode: negating split tunneling Routing Address IPs Technical Tip: Cannot configure negate features under local-in-policy setting in FortiGate unit Technical Tip: Restrict IPSec VPN access to certain countries |
