Fixing ESP Packet with Unknown SPI

I was having some weird times with our Virtual Fortigate Appliance.
It had a very steady IPSEC VPN connection with our of our sites but for some reason the packets were being dropped with no good reason although the tunnel remained connected.

I found the following in the logs:

Untitled

“Received ESP packet with unknown SPI”.
Official Fortigate KBs claim turning on DPD should prevent this from happening.
But in actuality it did NOT.
My intuition somewhat told me that this has got something to do with PFS as it deals with generating keys per data. I was right. After disabling it the tunnel became stable like a rock.

Cheers

 

Advertisements

3 thoughts on “Fixing ESP Packet with Unknown SPI

  1. Piyush

    can you please assure.This is work around to resolve issue.If we disabled PFS on tunnel.Please help me on it.It’s urgent and Fortitac support has no ans till now.We have 200D and remote end 70D.

    Reply
    1. gilfalko Post author

      If I documented it then it surely has worked.
      You have nothing to lose though.
      Even without PFS it’s still extremely difficult if not possible to break IPSEC encryption.
      Not to mention the attacker needs to sit in between the gateways.

      Goodluck.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s