Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff

Created on ‎11-29-2021 02:15 AM Edited on ‎08-15-2024 12:26 PM By Moderator

Article Id 199842

Technical Tip: ESP traffic handling with respect to local-in policies on a Fortigate Firewall

Description

 

This article describes how local-in policies work with ESP packets destined to a local IP on the FortiGate.

 

Scope

 

Unknown SPI logs are observed on a Fortigate for IP addresses that are not valid IPSec peers for the FortiGate.

 

Solution

 

It is possible that the FortiGate receives illegitimate ESP traffic and the FortiGate logs it in the VPN events, for example:

 

date=2024-08-13 time=20:08:54 eventtime=1723604934176251061 tz="-0700" logid="0101037131" type="event" subtype="vpn" level="error" vd="root" logdesc="IPsec ESP" msg="IPsec ESP" action="error" remip=10.x.x.140 locip=172.x.x.143 remport=4500 locport=500 outintf="port1" cookies="N/A" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="esp_error" error_num="Received ESP packet with unknown SPI." spi="2c65ad60" seq="00000007" fctuid="N/A" advpnsc=0

 

Administrators might be concerned about illegitimate traffic causing VPN error logs and might wish to block ESP traffic from certain or all IP addresses using a local-in policy, for example:

 

 

 

config firewall local-in-policy

edit 1

set intf "wan1"

set srcaddr "Valid VPN Peer IP addresses"

set dstaddr "all"

set action accept

set service "ESP" "IKE"

set schedule "always"

next

edit 2

set intf "wan1"

set srcaddr "all"

set dstaddr "all"

set service "ESP" "IKE"

set schedule "always"

next

end

 

However, by default, the ESP traffic will not be blocked by the local-in policy. It will be checked for a valid SPI, and the FortiGate does not have a matching SPI, it is logged as above and dropped (the log is rate limited).

Notably, IKE traffic will get evaluated by the local-in policy and get blocked and logged under Local traffic logs, if configured so. (In the config example above, IKE traffic matching rule 2 will get dropped by the local-in policy).

 

Behavior Change 1:

Starting with FortiOS 7.2.4, a new command was introduced:

 

config sys settings
    set detect-unknown-esp { enable | disable }
end

 

  • enable: This is the default and there is no change in behavior.
  • disable: If changed to disable, the ESP packets will be evaluated by the local-in policy.

This only works for ESP packets, and not UDP encapsulated ESP packets.

The configuration can be done per-VDOM.

 

Behavior Change 2:

Starting with FortiOS version 7.6.0, UDP-encapsulated or TCP-encapsulated ESP packets can also be blocked by local-in policies, in addition to regular (unencapsulated) ESP packets.

 

Additional note:

ACLs (Access Control Lists) can also be used to block required ESP traffic (if the platform supports it). More details on this are available in the related articles below.

 

Related articles:

Blocking unwanted IKE negotiations and ESP packets with a local-in policy 

Access Control Lists 

Labels:
4891
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.