Blocking unwanted IKE negotiations and ESP packets with a local-in policy
It is not unusual to receive IPsec connection attempts or malicious IKE packets from all over the internet. Malicious parties use these probes to try to establish an IPsec tunnel in order to gain access to your private network. A good way to prevent this is to use local-in policies to deny such traffic.
Sometimes there are malicious attempts using crafted invalid ESP packets. These invalid attempts are automatically blocked by the FOS IPsec local-in handler when it checks the SPI value against the SAs of existing tunnels. The IPsec local-in handler processes the packet instead of the firewall's local-in handler. So when these attempts are blocked, you will notice an
unknown SPI message in your VPN logs instead of being silently blocked by your local-in policy. These log messages are rate limited.
Sample log and alert email
Message meets Alert condition
date=2020-08-11 time=09:28:40 devname=toSite1 devid=FGT60Fxxxxxxxxxx logid="0101037131" type="event" subtype="vpn" level="error" vd="root" eventtime=1597163320747963100 tz="-0700" logdesc="IPsec ESP" msg="IPsec ESP" action="error" remip=22.214.171.124 locip=126.96.36.199 remport=40601 locport=500 outintf="wan1" cookies="N/A" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="esp_error" error_num="Received ESP packet with unknown SPI." spi="f6c9e2x1" seq="02000400"
Note that invalid SPIs may not always indicate malicious activity. For example, the SPI may not match during rekey, or when one unit flushes its tunnel SAs. Administrators should collect as much information as possible before making a conclusion.
To block undesirable IPsec connection attempts and IKE packets using a local-in policy:
- Configure an address group that excludes legitimate IPs:
config firewall addrgrp edit "All_exceptions" set member "all" set exclude enable set exclude-member "remote-vpn" next end
- Create a local-in policy that blocks IKE traffic from the address group:
config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "All_exceptions" set dstaddr "all" set service "IKE" set schedule "always" next end
The default action is deny.
- Verify the traffic blocked by the local-in policy:
# diagnose debug flow filter dport 500 # diagnose debug flow trace start 10 # diagnose debug enable id=20085 trace_id=290 func=print_pkt_detail line=5588 msg="vd-root:0 received a packet(proto=17, 10.10.10.13:500->10.10.10.1:500) from wan1. " id=20085 trace_id=290 func=init_ip_session_common line=5760 msg="allocate a new session-003442e7" id=20085 trace_id=290 func=vf_ip_route_input_common line=2598 msg="find a route: flag=84000000 gw-10.10.10.1 via root" id=20085 trace_id=290 func=fw_local_in_handler line=430 msg="iprope_in_check() check failed on policy 1, drop"