IPSec bruteforce / strange errors in logs

Rivera · May 15, 2015, 2:57pm

Since i enabled IPSec / L2TP on my home router for personal usage, i constantly see this messages in log:

http://i.imgur.com/T330aDb.png

Any idea what happening or how to enable more verbose logging for IPSec?
I’m not sure if IPSec bruteforce is even a thing (i constantly have bunch of chinese IPs bruteforcing my SSH / HTTP, but that’s known problem and i handle them with dynamic address list)

Some set of filtering rules for bruteforce will also be pretty nice.

Rivera · May 19, 2015, 3:35pm

So yeah, that was a bruteforcer from deutsche telekom…

Answering my own question, yeah, it’s possible to prevent bruteforce pretty much like how it’s done in SSH anti-bruteforce, swapping proto and ports to IPSec ones, so now my filter looks like

/ip firewall filter
add action=drop chain=input comment="Drop various bruteforcers - complete lockdown" src-address-list=bruteforcers_blacklist
add action=add-src-to-address-list address-list=bruteforcers_blacklist address-list-timeout=1w3d chain=input comment=\
    "SSH bruteforce prevention stage 4 (final)" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="SSH bruteforce prevention stage 3" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="SSH Bruteforce prevention stage 2" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="SSH bruteforce prevention stage 1" \
    connection-state=new dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=bruteforcers_blacklist address-list-timeout=1w3d chain=input comment=\
    "SSH Bruteforce prevention stage 4 (final)" connection-state=new dst-port=500,4500 protocol=udp src-address-list=ipsec_stage3
add action=add-src-to-address-list address-list=ipsec_stage3 address-list-timeout=1m chain=input comment="IPSec bruteforce prevention stage 3" \
    connection-state=new dst-port=500,4500 protocol=udp src-address-list=ipsec_stage2
add action=add-src-to-address-list address-list=ipsec_stage2 address-list-timeout=1m chain=input comment="IPSec Bruteforce prevention stage 2" \
    connection-state=new dst-port=500,4500 protocol=udp src-address-list=ipsec_stage1
add action=add-src-to-address-list address-list=ipsec_stage1 address-list-timeout=1m chain=input comment="IPSec bruteforce prevention stage 1" \
    connection-state=new dst-port=500,4500 protocol=udp