Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jkoay
Staff
Staff

Created on ‎11-13-2020 02:11 AM

Article Id 197596

Technical Tip: Handling VPN packets with local-in-policy

Description
This article describes FortiGate’s behavior in handling VPN packets when local-in-policies defined.

Solution
After configuring local-in-policies to block specific public IP from connecting to VPN tunnel, logs as below will still be received:
Message meets Alert condition
date=2020-01-01 time=05:57:12 devname=MASTER_FW devid=FGVM04187221XXXX logid="0101037131" type="event" subtype="vpn" level="error" vd="root" eventtime=1605210187307614998 tz="+0200" logdesc="IPsec ESP" msg="IPsec ESP" action="error" remip=y.y.y.y locip=x.x.x.x remport=4500 locport=500 outintf="wan1" cookies="N/A" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="esp_error" error_num="Received ESP packet with unknown SPI." spi="12121212" seq="12121212"
When IKE packets reaches FortiGate, FortiGate handles VPN traffic by matching against SPI value.
After checking is done, it will check on the local-in-policy.

To check if FortiGate is blocking IKE packets based on defined local-in-policy, execute commands below:
#diag debug reset
#diag debug disable
#diag debug flow filter addr x.x.x.x                 <----- Replace x.x.x.x with VPN remote gateway IP).
#diag debug flow filter dport 500
#diag debug flow show function-name enable
#diag debug flow trace start 50
#diag debug enable
Observe similar output as below:
FGVM04187221XXXX # id=20085 trace_id=25 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=17, y.y.y.y:500->x.x.x.x:500) from wan1. "
id=20085 trace_id=25 func=init_ip_session_common line=4522 msg="allocate a new session-001cd10f"
id=20085 trace_id=25 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 2, drop"
id=20085 trace_id=26 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=17, y.y.y.y:500->x.x.x.x:500) from wan1. "
id=20085 trace_id=26 func=init_ip_session_common line=4522 msg="allocate a new session-001cd11d"
id=20085 trace_id=26 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 2, drop"

Labels:
3933
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.