Blocking Inbound IPSEC Attempts

tripley · ‎08-07-2019

Hello,

We have a 61E connected to the Internet that is getting random attempts at building an IPSEC tunnel from random IP's. I want to block this traffic.

I've followed this tech note: https://kb.fortinet.com/kb/viewContent.do?externalId=FD36318&sliceId=1

I applied this local-in-policy:

FGT-61E # show firewall local-in-policy 
config firewall local-in-policy
    edit 1
        set intf "wan2"
        set srcaddr "all"
        set dstaddr "all"
        set service "ISAKMP"
        set schedule "always"
    next
end

However I'm still getting IPSEC connection attempts in the log.

Message meets Alert condition

date=2019-08-06 time=17:49:15 devname=<MY_DEVICE> devid=<MY_ID> logid="0101037131" type="event" subtype="vpn" level="error" vd="root" eventtime=1565135355014992767 tz="-0600" logdesc="IPsec ESP" msg="IPsec ESP" action="error" remip=<UNKNOWN_IP> locip=<MY_IP> remport=33225 locport=500 outintf="wan2" cookies="N/A" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="esp_error" error_num="Received ESP packet with unknown SPI." spi="47455420" seq="2f204854"

Any idea why the local-in-policy didn't work? Anything else I can try?

Toshi_Esumi · ‎08-07-2019

It's not UDP 500 you configured but IP protocol number 50=ESP packets that the log is saying. Your FGT is blocking them already anyway because the SPI doesn't match any existing tunnels.

If you don't have any IPsec existing on the FGT, you can try blocking "ESP" with the local-in-policy that might stop the log. Or not, I'm not sure.

View solution in original post

Toshi_Esumi · ‎08-07-2019

It's not UDP 500 you configured but IP protocol number 50=ESP packets that the log is saying. Your FGT is blocking them already anyway because the SPI doesn't match any existing tunnels.

If you don't have any IPsec existing on the FGT, you can try blocking "ESP" with the local-in-policy that might stop the log. Or not, I'm not sure.

tripley · ‎08-08-2019

Hi Toshi,

I added another rule to my local-in-policy to block ESP packets as well. It's been a few hours and I haven't seen this error yet. I'll let you know if that solved my issue.

Thanks for the suggestion!

emnoc · ‎08-08-2019

Good, you should maybe add AH proto51 also if you see any flare up from that. keep in mind the local-in block the traffic but the traffic already blocked by the implicit nature if the FW

Ken Felix

PCNSE

NSE

StrongSwan

tripley · ‎08-08-2019

It looks like blocking ESP packets was the trick. I haven't had an alert all day, where I would normally get one very 1 to 2 hours.

I will look into DoS policies too.

Thanks!

emnoc · ‎08-08-2019

DoS policies will probably no help if no match policyid allows the traffic. Also keep in mind ESP is not UDP or TCP nor are ports in use.

Ken Felix

PCNSE

NSE

StrongSwan

Jose_Bavaresco · ‎08-08-2019

Hello tripley,

maybe you answer is in this post: https://forum.fortinet.com/tm.aspx?m=166107

I recommend you configure a DoS policy to configure your WAN interface for only the services you need. Try to be the most invisible to the public.

cheers

Blocking Inbound IPSEC Attempts

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website