| Description |
This article describes the correct meaning of the feature 'Blocking unwanted IKE negotiations and ESP packets with a local-in policy'. According to Blocking unwanted IKE negotiations and ESP packets with a local-in policy - FortiGate documentation, it is possible to block IKE and ESP packets from malicious IP addresses and only allow the legitimate addresses.
However, some users may misunderstand the meaning of testing this feature based on the current VPN IPSec tunnels. In these cases, the feature might not work as expected. This article clears up common misconceptions about the feature. |
| Scope | VPN, FortiGate. |
| Solution |
The feature only works when the local Firewall receives the IKE/ESP packets from the malicious IP addresses (which means that it has never established a VPN tunnel with a local Firewall before).
If a user wants to test that feature based on current IPSec VPN tunnels, it will be necessary to disable the auto-negotiation (on both Phase1 and Phase2) as well as the keepalive (on Phase2) of the current VPN tunnel on the local FortiGate (which has a local-in-policy).
For example:
After that, the packet sniffer will show only incoming IKE traffic from the remote side:
Additionally, the debug flow will show packets were dropped by the local-in-policy:
 |
