Fixing ESP Packet with Unknown SPI

I was having some weird times with our Virtual Fortigate Appliance.
It had a very steady IPSEC VPN connection with our of our sites but for some reason the packets were being dropped with no good reason although the tunnel remained connected.

I found the following in the logs:


“Received ESP packet with unknown SPI”.
Official Fortigate KBs claim turning on DPD should prevent this from happening.
But in actuality it did NOT.
My intuition somewhat told me that this has got something to do with PFS as it deals with generating keys per data. I was right. After disabling it the tunnel became stable like a rock.




3 thoughts on “Fixing ESP Packet with Unknown SPI

  1. Piyush

    can you please assure.This is work around to resolve issue.If we disabled PFS on tunnel.Please help me on it.It’s urgent and Fortitac support has no ans till now.We have 200D and remote end 70D.

    1. gilfalko Post author

      If I documented it then it surely has worked.
      You have nothing to lose though.
      Even without PFS it’s still extremely difficult if not possible to break IPSEC encryption.
      Not to mention the attacker needs to sit in between the gateways.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s