Skip to main content
tripley
tripley
New Member
August 7, 2019
Solved

Blocking Inbound IPSEC Attempts

  • August 7, 2019
  • 2 replies
  • 14431 views

Hello,

 

We have a 61E connected to the Internet that is getting random attempts at building an IPSEC tunnel from random IP's.  I want to block this traffic.

 

I've followed this tech note: https://kb.fortinet.com/kb/viewContent.do?externalId=FD36318&sliceId=1

 

I applied this local-in-policy:

 

FGT-61E # show firewall local-in-policy 
config firewall local-in-policy
    edit 1
        set intf "wan2"
        set srcaddr "all"
        set dstaddr "all"
        set service "ISAKMP"
        set schedule "always"
    next
end

 

However I'm still getting IPSEC connection attempts in the log.

 

 
Message meets Alert condition
 
date=2019-08-06 time=17:49:15 devname=<MY_DEVICE> devid=<MY_ID> logid="0101037131" type="event" subtype="vpn" level="error" vd="root" eventtime=1565135355014992767 tz="-0600" logdesc="IPsec ESP" msg="IPsec ESP" action="error" remip=<UNKNOWN_IP> locip=<MY_IP> remport=33225 locport=500 outintf="wan2" cookies="N/A" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="esp_error" error_num="Received ESP packet with unknown SPI." spi="47455420" seq="2f204854"
 
Any idea why the local-in-policy didn't work?  Anything else I can try?
 
    Best answer by Toshi_Esumi
    It's not UDP 500 you configured but IP protocol number 50=ESP packets that the log is saying. Your FGT is blocking them already anyway because the SPI doesn't match any existing tunnels. 
    If you don't have any IPsec existing on the FGT, you can try blocking "ESP" with the local-in-policy that might stop the log. Or not, I'm not sure.
    2 replies
    Toshi_Esumi
    SuperUser
    Toshi_EsumiAnswer
    SuperUser
    August 7, 2019
    It's not UDP 500 you configured but IP protocol number 50=ESP packets that the log is saying. Your FGT is blocking them already anyway because the SPI doesn't match any existing tunnels. 
    If you don't have any IPsec existing on the FGT, you can try blocking "ESP" with the local-in-policy that might stop the log. Or not, I'm not sure.
    tripley
    tripleyAuthor
    New Member
    August 8, 2019
    Hi Toshi,
     
    I added another rule to my local-in-policy to block ESP packets as well.  It's been a few hours and I haven't seen this error yet.  I'll let you know if that solved my issue.
     
    Thanks for the suggestion!
    emnoc
    emnoc
    New Member
    August 8, 2019
    Good, you should maybe add  AH proto51 also if you see any flare up from that. keep in mind the local-in block the traffic but the traffic already blocked by the implicit nature if the FW
     
     
    Ken Felix
    Jose_Bavaresco
    Jose_Bavaresco
    New Member
    August 8, 2019
    Hello tripley,
     
    maybe you answer is in this post: https://forum.fortinet.com/tm.aspx?m=166107 
     
    I recommend you configure a DoS policy to configure your WAN interface for only the services you need. Try to be the most invisible to the public.
     
    cheers
    
        
                                                
    
        
    
    
    

            
    
                                        
    
            
                        
    
                                                                                                            
            
    

    

    

        
    
                    
    
    
    
    

    

    
    
    

                                        
    
                                                        
    
            
        
    
    

    

    

                                    
    Terms & ConditionsAccessibility statement