Description
This article describes the detect-unknown-spi feature in FortiGate.
Scope
FortiGate 7.2.4.
Solution
Prior to Forti OS 7.2.4, ESP packets with unknown SPI values could not matched by the local-in-policies.
In FortiOS, there are two activities regarding the this implementation:
- FortiOS checks the local in policy and blocks any IKE / UDP encapsulated ESP.
- The IPSec engine reports if a UDP encapsulated ESP packet without a matching SPI is received.
Historically, the second action existed in FortiOS long before local in policies. A common assumption is that action 1 comes first and is followed by 2, but this is not the case.
Due to the fact that action 2 is being prioritized, log messages are seen on the VPN events. For example:
Message meets Alert condition
date=2020-02-24 time=02:07:20 devname=TUNNEL-1 devid=FG1K5Dxxxxxxxxxx logid="0101037131" type="event" subtype="vpn" level="error" vd="root" eventtime=000000000 logdesc="IPsec ESP" msg="IPsec ESP" action="error" remip=208.85.5.74 locip=20.20.20.1 remport=6185 locport=500 outintf="wan1" cookies="N/A" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="esp_error" error_num="Received ESP packet with unknown SPI." spi="4f501234" seq="4f4e1234"
FortiGate is blocking these malicious attempts, making it unnecessary to take further action to mitigate related security risks.
Furthermore, the current ESP block is slightly better in terms of performance since it saves a policy check.
However, there is a new global setting as of FortiOS 7.2.4:
config system settings
set detect-unknown-esp enable <- Disabled by default.
end
When the above setting is enabled, the firewall detects the unknown ESP packets based on SPIs and drops them before the packet reaches the local-in-policy.
Related article:
Technical Tip: Difference in ESP and IKE packet handling of local-in policies.
