FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 199842
Description

This article describes the effect of the below local-in-policy on incoming ESP and IKE packets from 50.1.1.1 :

 

# config firewall local-in-policy

    edit 1

        set intf "wan1"

        set srcaddr "50.1.1.1/32"

        set dstaddr "all"

        set service "IKE" "ESP"

        set schedule "always"

        set action deny

    next

end

Scope  
Solution

Case 1: FGT ESP handling.


If FortiGate receives an incoming ESP packet (can be UDP encapsulated or not), it will always verify whether this matches an existing SPI.

FortiGate does not check incoming ESP packets against local in policies.

If the ESP does not match an existing SPI, it is dropped by ike daemon and the 'Received ESP packet with unknown SPI' is generated as below:

 

date=2021-09-02 time=12:27:50 devname=boson-kvm35 devid=FGVM08TM20002358 logid="0101037131" type="event" subtype="vpn" level="error" vd="root" eventtime=1630578470078266076 tz="+0200" logdesc="IPsec ESP" msg="IPsec ESP" action="error" remip=50.1.1.1 locip=1.1.1.1 remport=4500 locport=500 outintf="wan1" cookies="N/A" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="esp_error" error_num="Received ESP packet with unknown SPI." spi="67f8ab9e" seq="000000f2"

 

Case 2: FGT ike packet handling.


When an IKE packet is received from 50.1.1.1 , the local in policies are checked first and dropped.

Contributors