Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Baptiste
Contributor II

Block IPSEC negotiation - Allow only legitimate IP

Hi All,

 

I have every day this kind of message, some remote IP trying to negotiate IPSEC tunnel.

 

Is there a way to allow only some IP to negotiate and block other ? (As far as I remember, IPSEC negotiation happen before FW rules)

 

On a 100D running 5.2.2

 

Message meets Alert condition date=2015-08-31 time=12:27:31 devname=FG100D-HDV devid=FG100DXXXXXXXX logid=0101037124 type=event subtype=vpn level=error vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action=negotiate remip=REMOTE-IP(X.X.X.X) locip=MY-IP(X.X.X.X) remport=60105 locport=500 outintf="wan1" cookies="38c1bf7739f47688/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=negotiate_error reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE" Message meets Alert condition date=2015-08-31 time=12:27:31 devname=FG100D-HDV devid=FG100DXXXXXXXX logid=0101037128 type=event subtype=vpn level=error vd="root" logdesc="progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=REMOTE-IP(X.X.X.X) locip=MY-IP(X.X.X.X)remport=60105 locport=500 outintf="wan1" cookies="38c1bf7739f47688/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR

 

Thanks !

2 FGT 100D  + FTK200

3 FGT 60E  FAZ VM  some FAP 210B/221C/223C/321C/421E

2 FGT 100D + FTK200 3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
4 REPLIES 4
ede_pfau
SuperUser
SuperUser

You can block access to the IPsec engine (so to say) via a Local-In policy. For that, you would prepare an address group of allowed remote gateway addresses (WAN IPs) for whitelisting. The policy would block the ESP protocol.

 

We too see a LOT of these attempts during the last months. Pesty.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Baptiste
Contributor II

Thank for you answer, I have a quick look, Local In Policy can't be modified trough GUI, I will have to use CLI...

2 FGT 100D  + FTK200

3 FGT 60E  FAZ VM  some FAP 210B/221C/223C/321C/421E

2 FGT 100D + FTK200 3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
ede_pfau
SuperUser
SuperUser

Right. But...they might be visible in the GUI after creation, at least in v5.2.4.

Then again, who needs a GUI...

 

edit:

further reading reveals that you can enable logging of Local-In policies:

config system global
    set gui-local-in-policy enable
end

 

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
aairey

Hello,

 

I'm trying to achieve the same thing as we have a lot of these messages in our logs too.

I was able to turn on the local policy in the GUI and was also able to create a local-in policy throught the CLI.

However I do not see the created policy in the GUI ...

 

We are also using FortiManager.

I already created a group there for the remote vpn peer ip addresses. However I can't find the local-in policies in FM  ...

Are these the interface policies?

 

I have also seen that on the FortiGate GUI there is a default VPN local-in policy which allows UDP 500 and UDP 4500 traffic, but I cannot edit this policy ...

 

So I'm kind of stuck. Were any of you succesful in blocking these non-legitimate IP's?

 

 

Running 5.2.3 with FortiManager 5.2.4.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors