L2TP/IPSec VPN - <random ip> failed to get valid proposal.

mmee · January 11, 2022, 8:39am

Hi,

I have a working L2TP with IPSec configuration on my RB4011, but the following error messages appears few times per day from some random IP addresses. Are they just harmless port scanning or show some security hole? Password and preshared key are complex enough. I’m using the built-in .sn.mynetname.net domain name to reach VPN service from outside. (RouterOS: 6.48.6)

10:00:03 ipsec,info respond new phase 1 (Identity Protection): ${MY_IP}[500]<=>64.62.197.34[16124]
10:00:03 ipsec SPI size isn’t zero, but IKE proposal.
10:00:03 ipsec invalid encryption algorithm=6.
10:00:03 ipsec no Proposal found.
10:00:03 ipsec,error 64.62.197.34 failed to get valid proposal.
10:00:03 ipsec,error 64.62.197.34 failed to pre-process ph1 packet (side: 1, status 1).
10:00:03 ipsec,error 64.62.197.34 phase1 negotiation failed.

Thanks for any reply!

drasir · January 11, 2022, 7:02pm

There are some “organisations” that do attempt ipsec connections.. Netscout, Shadow Server etc. Your IP tried testing my router as well, i just add all connection attempts to a firewall drop rule via an address-list..

Those are mine so far:

216.218.0.0/16
46.88.240.0/24
74.82.47.0/24
65.49.20.0/24
184.105.0.0/16
64.62.197.0/24
27.115.124.0/24
47.242.35.0/24

own3r1138 · January 11, 2022, 8:32pm

is it necessary? What I’m after is, I wanna know CPU-wise is worth it to add a list and drop rule? Let them try :d

mmee · January 12, 2022, 9:24am

Thanks drasir for the list! I had started to collect them at the beginning, but after 3 or 4 addresses, I thought it’s endless.

I made the following changes, might be it will be useful for others too. “log” part can be removed from the filter if you are not interested how it is working.

/ip firewall address-list
add address=216.218.0.0/16 list=vpn_block
add address=46.88.240.0/24 list=vpn_block
add address=74.82.47.0/24 list=vpn_block
add address=65.49.20.0/24 list=vpn_block
add address=184.105.0.0/16 list=vpn_block
add address=64.62.197.0/24 list=vpn_block
add address=27.115.124.0/24 list=vpn_block
add address=47.242.35.0/24 list=vpn_block
/ip firewall filter
add action=drop chain=input log=yes log-prefix=vpn_drop_from_list src-address-list=vpn_block

own3r1138 · January 12, 2022, 9:37am

If you are after the best practice for this. there are scripts in the forum that can read log entries and add the src address to your black list.

inteq · January 12, 2022, 1:16pm

Can you point us to one of those?
I looked and came up empty.

own3r1138 · January 12, 2022, 1:38pm

http://forum.mikrotik.com/t/black-list-for-failed-login-to-ipsec-vpn/130090/1

drasir · January 12, 2022, 9:40pm

Is it necessary? I guess not.

Do i get instant satisfaction in knowing that my router does not appear in their lists: Yes!

inteq · January 13, 2022, 1:15am

Thank you

own3r1138 · January 13, 2022, 8:02am

YVW.