|
It is possible to configure local-in-policy to block IKE packet but it is still possible to observe an ongoing IKE negotiation, therefore it can be seen in VPN logs the error message 'peer SA proposal not match local policy' or 'no SA proposal chosen' in IKE debugging output.
date=2022-12-26 time=18:54:26 eventtime=1672077267522086486 tz="+0100" logid="0101037124" type="event" subtype="vpn" level="error"
vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=10.109.16.252 locip=10.109.16.186 remport=500
locport=500 outintf="wan1" cookies="905bafa83d81e735/0000000000000000" user="N/A" group="N/A"
useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A"
status="negotiate_error" reason="peer SA proposal not match local policy" <<<<<------
peer_notif="NOT-APPLICABLE" utmref=0:1672077267
Note: It is also possible to see in VPN logs the error message 'Invalid ESP packet detected'.
Solution:
- Configure local-in-policy via CLI:
FGT # show firewall local-in-policy
config firewall local-in-policy
edit 0
set intf <Incoming Interface Name>
set srcaddr <Unwanted Remote IP address>
set dstaddr <IP address/es of the interface/s on FGT>
set service "IKE"
set schedule "always"
set comments "To Block incoming IKE negotiation from a unwanted remote IP "
next
end
Note: Starting from FortiGate v7.6.0, the Local-in-Policy can now be also configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.
Make sure there is no session entry in the session table for remote IP with destination port number 500 after local-in-policy has been configured:
di sys session filter clear
di sys session filter src <Remote IP address>
di sys session filter dport 500
di sys session clear
Note: After clearing the session entry, check the session table again to make sure it has successfully removed the session entry for that remote IP with port number 500.
Related documents:
Local-in policies
firewall local-in-policy
|
