Ipsec error in Log

3liswaid · April 29, 2019, 7:36am

Dears,
kindly your support to explain the below in the log

03:39:34 ipsec,info respond new phase 1 (Identity Protection): "MY IP"[500]<=>216.218.206.118[36735] 
03:39:34 ipsec,error 216.218.206.118 failed to get valid proposal. 
03:39:34 ipsec,error 216.218.206.118 failed to pre-process ph1 packet (side: 1, status 1). 
03:39:34 ipsec,error 216.218.206.118 phase1 negotiation failed. 
06:27:58 pptp,info TCP connection established from 185.156.177.153 
06:27:58 pptp,info TCP connection established from 185.156.177.153 
06:27:58 pptp,info TCP connection established from 185.156.177.153

is it an attack?
and how can i stop it?

3liswaid · April 29, 2019, 7:44am

Also what is the TCP connection established towards my router?

karlisi · April 29, 2019, 10:32am

These are connections to your PPTP server. ‘TCP connection established’ not necessarily means someone was able to get in, it means someone established connection and was able to begin the authentication process.
The same for ipsec errors, although in this case it is clearly visible, attacker failed to authenticate.
If your VPN servers are wide open to whole world, you can’t avoid such attacks. If VPN clients have fixed IPs use whitelists, for dynamic IPs use port knocking (search this forum about it). Or use very strong passwords and VPN auditing.

3liswaid · April 29, 2019, 11:46am

thank you for your response.
i don’t use IPSEC at all how can i disable it?
for PPTP i will do as you said

thanks

karlisi · April 29, 2019, 12:27pm

Review firewall input chain, perhaps you have unnecessary ports or protocols open. Best practice is to close all, except only those you are using.