Skip to main content
psniech
psniech
Visitor III
December 12, 2024
Question

IPSEC

  • December 12, 2024
  • 3 replies
  • 1005 views

How can we protect foritgate against a huge number of attempts to establish an IPsec tunnel, secured by a certificate with a bad certificate in request? That fact strongly imposes a huge load on one of the CPUs.

3 replies

pminarik
Staff
pminarik
Staff
December 12, 2024

If genuine VPN peers come from a known range of IPs, you can alleviate this with a local-in policy for UDP ports 500 and 4500. Set it up to allow known-good IPs (individual, ranges, subnets, GeoIP countries) and block everything else.

Or vice-versa, block known unexpected IPs.

 

Note that FortiOS has some basic DoS protection using IKE cookies in IKEv2. If number of connection attempts in SA_INIT stage reaches a certain number, FortiGate starts asking the peer to re-sent its SA_INIT with a provided cookie.

 

config system ike

set ike-embryonic-limit <number>

end

 

When the number of initiated SA_INITs is over half of this number, a cookie is required. If it reaches the number, FortiGate stops processing any new SA_INITs.

 

ref: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/66410/ipsec-global-ike-embryonic-limit

    adambomb1219
    SuperUser
    adambomb1219
    SuperUser
    December 12, 2024

    Are you sure the high CPU is from this?  As @pminarik mentioned you can use a local-in policy for front-end with another firewall or your ISP's DDoS prevention.

      pavankr5
      Staff
      pavankr5
      Staff
      December 26, 2024

      Hello @psniech 

      You can limit Ipsec access to a trusted host https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-IPSec-VPN-access-to-certain-countries/ta-p/192328

      Thanks,

      Pavan

      Terms & ConditionsAccessibility statement