Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlekseiN
New Contributor

IPsec - local-in-policy.

Hello all.

Need a help with configuration local-in-policy to blocking IPsec from not known sources.

I created policy like this:

 

config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "s2s_name"
set dstaddr "all"
set action accept
set service "IKE" "ESP"
set schedule "always"
set status enable
next
edit 2
set intf "wan1"
set srcaddr "all"
set dstaddr "all"
set action deny
set service "IKE" "ESP"
set schedule "always"
set status enable
next
end

But still continue to get a lot alerts like this:

 

date=2023-08-28 time=04:56:59 devname=FortiGate devid=FG200EXXXXXXXXX eventtime=1693187818206746689 tz="+0300" logid="0101037131" type="event" subtype="vpn" level="error" vd="root" logdesc="IPsec ESP" msg="IPsec ESP" action="error" remip=80.82.XX.XXX locip="185.MY IP ADD" remport=4500 locport=500 outintf="wan1" cookies="N/A" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="esp_error" error_num="Received ESP packet with unknown SPI." spi="30303030" seq="30303030"

 

Thanks!

Aleksei

AL
AL
6 REPLIES 6
srajeswaran
Staff
Staff

remport=4500, usually means NAT-T in action. Can you check if the ESP packet is encapsulated in UDP4500 ? If that is the case, may the the local-in policy need to call/specify UDP4500 also.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
AlekseiN

Hi,thank you for answer.

ESP  - Protocol Type = IP, Protocol Number = 50

IKE  - UDP/500 UDP/4500

 

2023-08-28_15-14-32.png2023-08-28_15-15-11.png

 

 

AL
AL
srajeswaran

I checked the bug ID mentioned in below post, unfortunately this looks like a limitation for now. Actually this drop (SPI mismatch) happens before the local-in-policy check, so technically its not a bug it is working as expected.

https://community.fortinet.com/t5/Support-Forum/ESP-not-being-blocked-by-local-in-policy-for-existin...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
AlekseiN

Great!

It is about 5.6.5 FortiGates. Do you know about version v7.0.+ ?

AL
AL
srajeswaran

Yeah, its still same. The below article explains the behavior.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Difference-in-ESP-and-IKE-packet-handling-...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
AlekseiN

Thank you.

:(

 

AL
AL
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors