Description
This article describes how to block all unwanted ISAKMP attempts.
Opening of ISAKMP (UDP 500 or 4500) port on the FortiGate device to all may cause security vulnerability and ISAKMP DOS attack that would result in compromising preshared key (if VPN is configured by aggressive mode) and overloading the CPU with multiple requests eventually filling up needed buffer space.
Scope
FortiGate or VDOM in NAT mode or Transparent mode.
Solution
(LAN SUBNET) --- port1 (FortiGate) --- wan1 --- Internet
Configuration
1) Create firewall address objects for the ip address of the client and the wan1 interface ip address. CLI is used in this example:
# config firewall address
edit "allowIP"
set subnet x.x.x.x 255.255.255.255
next
edit "waninterfaceip"
set subnet y.y.y.y 255.255.255.255
end
2) Create a custom service object for ISAKMP (UDP 500 or 4500):
# config firewall service custom
edit "isakmp_500"
set tcp-portrange 0
set udp-portrange 500
next
edit "isakmp_4500"
set tcp-portrange 0
set udp-portrange 4500
end
3) Create local in policies to allow the ISAKMP traffic only from the allowed IP:
# config firewall local-in-policy
edit 1
set intf WAN
set srcaddr allowIP
set dstaddr waninterfaceip
set action accept
set service isakmp_500 isakmp_4500
set schedule always
set status enable
next
edit 2
set intf WAN
set srcaddr all
set dstaddr waninterfaceip
set action deny
set service isakmp_500 isakmp_4500
set schedule always
set status enable
next
end
where x.x.x.x is the IP address of the VPN client and y.y.y.y is the IP address of the wan1 interface IP address of the firewall.
Note: By using Local in policy, the UDP 500/4500 traffic cannot block from an IP address that is already defined as a peer IP address in site to site VPN policy.
Verification
Run the debug flow commands for the verification. The FortiGate should be seen to drop the packets because of local-in-policy.
FGT90D3Z13004772 # id=20085 trace_id=25 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=17, 172.26.48.86:500->172.26.48.73:500) from wan1. "
id=20085 trace_id=25 func=init_ip_session_common line=4522 msg="allocate a new session-001cd10f"
id=20085 trace_id=25 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 2, drop"
id=20085 trace_id=26 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=17, 172.26.48.86:500->172.26.48.73:500) from wan1. "
id=20085 trace_id=26 func=init_ip_session_common line=4522 msg="allocate a new session-001cd11d"
id=20085 trace_id=26 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 2, drop"