- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Alert - Received ESP packet with unknown SPI
Hello All.
Do someone know if I can block this action?
Message meets Alert condition date=2018-09-12 time=15:12:16 devname=FGTxx devid=FGTxx logid=0101037131 type=event subtype=vpn level=error vd=root logdesc="IPsec ESP" msg="IPsec ESP" action=error remip=144.217.181.56 locip=172.16.2.1 remport=36979 locport=500 outintf="wan1" cookies="N/A" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=esp_error error_num="Received ESP packet with unknown SPI." spi="47455420" seq="2f204854".
I created new policy for test, but not sure that it will help.
config firewall policy edit 39 set name "Block from wan" set uuid c23ca428-c089-51e8-7cff-b2ab3289eec7 set srcintf "wan1" "wan2" set dstintf "internal" set srcaddr "abusers_OVH-FR" "Country Restriction" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all next end
I do have local-in-policy, that should block any VPN connections:
config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "DC-GATEWAY-VPN" set dstaddr "office1_vpn" set action accept set service "IKE" "ESP" set schedule "always" next edit 2 set intf "wan2" set srcaddr "DC-GATEWAY-VPN" set dstaddr "office2_vpn" set action accept set service "IKE" "ESP" set schedule "always" next edit 3 set intf "any" set srcaddr "all" set dstaddr "all" set service "IKE" "ESP" set schedule "always" next end
Thanks in advance!
Aleksei.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A number of us have been seeing this. See https://forum.fortinet.com/tm.aspx?m=166107 for the discussion.
So far the answer has been "by design" due to the way the FortiGate is handling UDP 4500 (translated to UDP 500) *before* local-in-policy, but I'm hoping we can get them to reconsider that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the answer!