IPSEC

psniech · ‎12-12-2024

How can we protect foritgate against a huge number of attempts to establish an IPsec tunnel, secured by a certificate with a bad certificate in request? That fact strongly imposes a huge load on one of the CPUs.

pminarik · ‎12-12-2024

If genuine VPN peers come from a known range of IPs, you can alleviate this with a local-in policy for UDP ports 500 and 4500. Set it up to allow known-good IPs (individual, ranges, subnets, GeoIP countries) and block everything else.

Or vice-versa, block known unexpected IPs.

Note that FortiOS has some basic DoS protection using IKE cookies in IKEv2. If number of connection attempts in SA_INIT stage reaches a certain number, FortiGate starts asking the peer to re-sent its SA_INIT with a provided cookie.

config system ike

set ike-embryonic-limit <number>

end

When the number of initiated SA_INITs is over half of this number, a cookie is required. If it reaches the number, FortiGate stops processing any new SA_INITs.

ref: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/66410/ipsec-global-ike-embryonic-lim...

[ corrections always welcome ]

adambomb1219 · ‎12-12-2024

Are you sure the high CPU is from this? As @pminarik mentioned you can use a local-in policy for front-end with another firewall or your ISP's DDoS prevention.

pavankr5 · ‎12-26-2024

Hello @psniech

You can limit Ipsec access to a trusted host https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-IPSec-VPN-access-to-certain-count...

Thanks,

Pavan

IPSEC

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website