Skip to main content
tanr
tanr
New Member
September 6, 2018
Question

ESP not being blocked by local-in-policy for existing IPsec Session?

  • September 6, 2018
  • 1 reply
  • 21977 views

On our 5.6.5 FortiGates, I'm seeing what looks like attempted attacks on our IPsec connection to a branch office, but am unclear how they are getting past my local-in-policy to get blocked further in.

 

The VPN log event I see is "Received ESP packet with unknown SPI." coming from an IP that is NOT our branch office.

It seems clear this is an attempted attack because I'll see the same thing, from the same IP, tried in sequence against all of our public IPs.

 

I have a local-in-policy rule which specifically allows IKE, ESP, and NATT only from our branch office public IP to our main office public IP, followed by a local-in-policy rule which specifically denies IKE, ESP, and NATT to any of our public IPs.

 

What I don't understand is how this packet is getting past the local-in-policy that should be specifically denying it.

 

Any ideas what might be going on here?

    1 reply

    tanr
    tanrAuthor
    New Member
    September 7, 2018

    Any ideas on how local-in-policy is letting through these ESP packets?

     

    Could I have local-in-policy misconfigured? 

     

    Maybe I need to have the local-in-deny policy destination address be something more than our public facing IPs?

     

    Or perhaps I need to block ISKAMP TCP 0 as shown in http://kb.fortinet.com/kb/viewContent.do?externalId=FD36318&sliceId=1? 

     

    Any ideas appreciated.

    scyllaAndy
    scyllaAndy
    New Member
    September 9, 2018

    I'm seeing the same thing recently where my local-in-policies aren't stopping attempts from 144.217.0.0/16 across 20 or so of my FortiGate devices that have ipsec VPN setup.  They have specifically been coming from 144.217.181.56.  Thanks for finding that Technical note about creating an ISAKMP service.  I'm going to try that now on a handful of my devices along with my existing deny policy for IKE, GRE, and ESP.

    tanr
    tanrAuthor
    New Member
    September 9, 2018

    I've already tried the ISKAMP method and am still seeing the attempts come in and not get blocked by local-in-policy.  

     

    I'll be calling TAC tomorrow to bring them in on this.  If you've already created a ticket on this and have a reference number from Fortinet please let me know (through PM if desired) and I'll refer to it when opening my own ticket.

    Terms & ConditionsAccessibility statement