Hi All,
I have every day this kind of message, some remote IP trying to negotiate IPSEC tunnel.
Is there a way to allow only some IP to negotiate and block other ? (As far as I remember, IPSEC negotiation happen before FW rules)
On a 100D running 5.2.2
Message meets Alert condition date=2015-08-31 time=12:27:31 devname=FG100D-HDV devid=FG100DXXXXXXXX logid=0101037124 type=event subtype=vpn level=error vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action=negotiate remip=REMOTE-IP(X.X.X.X) locip=MY-IP(X.X.X.X) remport=60105 locport=500 outintf="wan1" cookies="38c1bf7739f47688/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=negotiate_error reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE" Message meets Alert condition date=2015-08-31 time=12:27:31 devname=FG100D-HDV devid=FG100DXXXXXXXX logid=0101037128 type=event subtype=vpn level=error vd="root" logdesc="progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=REMOTE-IP(X.X.X.X) locip=MY-IP(X.X.X.X)remport=60105 locport=500 outintf="wan1" cookies="38c1bf7739f47688/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR
Thanks !
2 FGT 100D + FTK200
3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can block access to the IPsec engine (so to say) via a Local-In policy. For that, you would prepare an address group of allowed remote gateway addresses (WAN IPs) for whitelisting. The policy would block the ESP protocol.
We too see a LOT of these attempts during the last months. Pesty.
Thank for you answer, I have a quick look, Local In Policy can't be modified trough GUI, I will have to use CLI...
2 FGT 100D + FTK200
3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
Right. But...they might be visible in the GUI after creation, at least in v5.2.4.
Then again, who needs a GUI...
edit:
further reading reveals that you can enable logging of Local-In policies:
config system global
set gui-local-in-policy enable
end
Hello,
I'm trying to achieve the same thing as we have a lot of these messages in our logs too.
I was able to turn on the local policy in the GUI and was also able to create a local-in policy throught the CLI.
However I do not see the created policy in the GUI ...
We are also using FortiManager.
I already created a group there for the remote vpn peer ip addresses. However I can't find the local-in policies in FM ...
Are these the interface policies?
I have also seen that on the FortiGate GUI there is a default VPN local-in policy which allows UDP 500 and UDP 4500 traffic, but I cannot edit this policy ...
So I'm kind of stuck. Were any of you succesful in blocking these non-legitimate IP's?
Running 5.2.3 with FortiManager 5.2.4.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.