Hi all. I am relatively new to Mikrotik routers. I have a hAP ac2, and just recently set up IPsec connectivity so that I can VPN from my phone and use RouterOS’s built in Wake on LAN feature while I am away from home. Everything seems to be working.
I glanced at my logs in Winbox this morning and noticed that over the past 24 hours my router has received several IPsec key exchange / phase 1 negotiation requests that did not originate from any of my devices. It looks like they were all unsuccessful at establishing connection, but should I be concerned about this?
I’d better investigate it, is it targeted attack or not.
I.e. I spent several months trying to make DigitalOcean to stop botnet attacks from their network, still not resolved, next step will be report to FBI.
Here are the entries from my log. I know for a fact I was not attempting any VPN connections at these times.
feb/09 21:09:47 ipsec,info respond new phase 1 (Identity Protection): MyPublicIPAddress[500]<=>216.218.206.74[51722]
feb/09 21:09:47 ipsec SPI size isn’t zero, but IKE proposal.
feb/09 21:09:47 ipsec invalid encryption algorithm=6.
feb/09 21:09:47 ipsec no Proposal found.
feb/09 21:09:47 ipsec,error 216.218.206.74 failed to get valid proposal.
feb/09 21:09:47 ipsec,error 216.218.206.74 failed to pre-process ph1 packet (side: 1, status 1).
feb/09 21:09:47 ipsec,error 216.218.206.74 phase1 negotiation failed.
feb/10 02:36:23 ipsec 146.88.240.4 packet shorter than isakmp header size (46, 0, 28)
feb/10 17:49:32 ipsec → ike2 request, exchange: SA_INIT:0 167.71.110.14[47510] 071804b39ac2cf70:0000000000000000
feb/10 17:49:32 ipsec no IKEv2 peer config for 167.71.110.14
feb/10 20:58:12 ipsec,info respond new phase 1 (Identity Protection): MyPublicIPAddress[500]<=>216.218.206.102[34389]
feb/10 20:58:12 ipsec SPI size isn’t zero, but IKE proposal.
feb/10 20:58:12 ipsec invalid encryption algorithm=6.
feb/10 20:58:12 ipsec no Proposal found.
feb/10 20:58:12 ipsec,error 216.218.206.102 failed to get valid proposal.
feb/10 20:58:12 ipsec,error 216.218.206.102 failed to pre-process ph1 packet (side: 1, status 1).
feb/10 20:58:12 ipsec,error 216.218.206.102 phase1 negotiation failed.
feb/10 21:18:29 ipsec the length in the isakmp header is too big.
02:42:37 ipsec 146.88.240.4 packet shorter than isakmp header size (46, 0, 28)
Pasting the above unknown IP addresses into Google reveals they all have a history of being reported for abuse. I have my IPsec settings configured with the Xauth road warrior policy based method. Is there any way these connection attempts could “sniff out” any way to connect to my network?
My suggestion to trap and then drop any unsolicited VPN traffic is as follows:
Create the following address list named rogue_vpn_hosts
Create the following Firewall Filter Rules [this assumes ipsec … if you are using L2TP/ipse you will need to add more dst-ports ports]:
Now when you check your logs and see unsolicited VPN traffic copy the IP Address and add that to your address list like the following:
/ip firewall address-list add address=148.75.242.158 list=rogue_vpn_hosts
Thanks, I will give this a try. I already have the second two rules, minus the logging, to allow establishment of the VPN connections. Can I just add the logging to the existing rules, or do they need to be separate? Or should I just create two mangle rules where the action is “log”?
@NovaProspekt
Just add the logging to you existing rules … no need to mangle …
I get hit by rouge vpn attempts on a frequent bases and my trap and drop method has worked very effectively in stopping that … should work well for you as well ..
Get yourself a Tool like ipnetinfo from Nirsoft and that will give you a lot of info about the rouge vpn addresses.
So, I have been adding at least 1 rogue VPN connection attempt to my block list nearly every day. I can see this list growing to hundreds or thousands of IP addresses over time. Would it be more efficient to just white-list the MAC addresses of my devices that would be VPN connecting to the router by putting them in the SRC-MAC address field of the IPsec allow filter rules? Then all rogue connection attempts would be blocked automatically without me having to manually maintain the block list.
MAC is not relevant here (they only have significance on the local LAN), but public IP’s are in this case.
Sure it would be a better way to whitelist and ONLY allows these IP’s on the Internet to initiate IPSEC towards you, but this is not always possible unless all endpoint you know have fixed static public IP’s ?
I have been trapping rogue VPN host over the past 2 years and so far I have 45 entries in my address list. following is my list that you may find helpful … note that many of the rogue host are placed in networks [CIDR] because many of these rouge host operated in groups within the same network …this has proven to be effective for me … perhaps for you too:
As @karlisi states many only try once and do not come back
You can add a timeout value to hosts and see what happens after a period of time … the timeout means that the IP address will be removed from the list when it hits the time out value.
Example: