Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Aleksei
New Contributor

VPN Alert - Received ESP packet with unknown SPI

Hello All.

Do someone know if I can block this action?

Message meets Alert condition date=2018-09-12 time=15:12:16 devname=FGTxx devid=FGTxx logid=0101037131 type=event subtype=vpn level=error vd=root logdesc="IPsec ESP" msg="IPsec ESP" action=error remip=144.217.181.56 locip=172.16.2.1 remport=36979 locport=500 outintf="wan1" cookies="N/A" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=esp_error error_num="Received ESP packet with unknown SPI." spi="47455420" seq="2f204854".

 

I created new policy for test, but not sure that it will help.

config firewall policy edit 39 set name "Block from wan" set uuid c23ca428-c089-51e8-7cff-b2ab3289eec7 set srcintf "wan1" "wan2" set dstintf "internal" set srcaddr "abusers_OVH-FR" "Country Restriction" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all next end

 

I do have local-in-policy, that should block any VPN connections:

config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "DC-GATEWAY-VPN" set dstaddr "office1_vpn" set action accept set service "IKE" "ESP" set schedule "always" next edit 2 set intf "wan2" set srcaddr "DC-GATEWAY-VPN" set dstaddr "office2_vpn" set action accept set service "IKE" "ESP" set schedule "always" next edit 3 set intf "any" set srcaddr "all" set dstaddr "all" set service "IKE" "ESP" set schedule "always" next end

 

Thanks in advance!

Aleksei.

2 REPLIES 2
tanr
Valued Contributor II

A number of us have been seeing this.  See https://forum.fortinet.com/tm.aspx?m=166107 for the discussion.

 

So far the answer has been "by design" due to the way the FortiGate is handling UDP 4500 (translated to UDP 500) *before* local-in-policy, but I'm hoping we can get them to reconsider that.

Aleksei
New Contributor

Thank you for the answer!