By default, FortiGate allows IKE and ESP traffic on the external interface, even if no IPsec VPN configuration exists. This behaviour can be seen in the Local-In Policies section, where the default system services include IPsec-related ports (UDP/500 and UDP/4500) set to ACCEPT. Refer to the image below.

To avoid unsolicited or potentially malicious VPN negotiations from unknown sources, it is recommended to explicitly control IPsec traffic using local-in policies.

Here is the step-by-step guide for the configuration using 198.51.100.21 as the allowed remote-peer.

Step 1: Define the Remote Peer Address. Create an address object for the trusted remote peer:

config firewall address

edit "remote-peer"

set subnet 198.51.100.21 255.255.255.255

next

end

Step 2: Create an Address Group Excluding the Trusted Peer. Define an address group that includes all IPs except the trusted remote peer:

config firewall addrgrp

edit "All_except_remote"

set member "all"

set exclude enable

set exclude-member "remote-peer"

next

end

Step 3: Configure Local-In Policies. Set up local-in policies to allow IKE and ESP traffic from the trusted remote peer and deny such traffic from all other sources.

Allow IKE and ESP from the Trusted Peer:

config firewall local-in-policy

edit <index>

set intf "wan1"
set srcaddr "remote-peer"
set dstaddr "all"
set action accept
set service "IKE" "ESP"
set schedule "always"

next

end

Deny IKE and ESP from All Other Sources:

config firewall local-in-policy

edit <index>

set intf "wan1"
set srcaddr "All_except_remote"
set dstaddr "all"
set action deny
set service "IKE" "ESP"
set schedule "always"

next

end

Note:

• By default, ESP traffic is not checked against local-in-policy, see Technical Tip: ESP traffic handling with respect to local-in policies on a FortiGate Firewall.
• Ensure that the interface name ('wan1' in this example) matches the actual WAN interface.
• if the deny policy is configured correctly with 'set exclude-member "remote-peer"', the earlier local-in-policy accepting traffic from the trusted peer is not required, since the firewall does process all IKE traffic that is not explicitly blocked by local-in-policy. If a more general local-in-policy is used, such as one that blocks all source addresses, an earlier local-in-policy to match intended IKE traffic is required.

Step 4: Disable 'detect-unknown-esp' in system settings to allow ESP traffic checking against local-in policy.

config system settings

set detect-unknown-esp disable

end

This setting requires FortiOS v7.2.4 and later. In v7.2 and v7.4, only IP-encapsulated protocol 50 ESP traffic is affected. In v7.6.0 and later, TCP and UDP encapsulated ESP packets are also affected by this setting and can be blocked by local-in policies..

When detect-unknown-esp is enabled, the firewall will instead generate an 'unknown SPI' VPN log when dropping unrecognized ESP traffic.

Step 5: Verify the configuration. Use the following debug commands to verify that the local-in policies are working as expected:

diagnose debug flow filter dport 500
diagnose debug flow trace start 10
diagnose debug enable

Monitor the debug output to ensure that only the trusted remote peer IP 198.51.100.21 can initiate IKE traffic successfully.

Related articles:

Technical Tip: SSL VPN tunnel mode: negating split tunneling Routing Address IPs 

Technical Tip: Cannot configure negate features under local-in-policy setting in FortiGate unit 

Technical Tip: Restrict IPSec VPN access to certain countries