messages on my log

on my log i see this. what does it mean ?

TIME MESSAGE
oct/23/2004 21:35:12 peer not configured
oct/23/2004 21:35:13 received ISAKMP packet from 65.102.121.225:500, phase 1,
Identity Protection >
oct/23/2004 21:35:13 peer not configured
oct/23/2004 21:35:14 received ISAKMP packet from 65.102.121.225:500, phase 1,
Identity Protection >
oct/23/2004 21:35:14 peer not configured
oct/23/2004 21:35:18 received ISAKMP packet from 65.102.121.225:500, phase 1,
Identity Protection >
oct/23/2004 21:35:18 peer not configured
oct/23/2004 21:35:26 received ISAKMP packet from 65.102.121.225:500, phase 1,
Identity Protection >
oct/23/2004 21:35:26 peer not configured
oct/23/2004 21:35:43 received ISAKMP packet from 65.102.121.225:500, phase 1,
Identity Protection >
oct/23/2004 21:35:43 peer not configured
oct/23/2004 21:36:15 received ISAKMP packet from 65.102.121.225:500, phase 2,
Informational >

I think you are under attack, like me, like a lot of people out here.

so what do I have to do ?
can it have something to do with my emule download problem ?

any forewall rule I can set up … any help ?

The log is showing attempts to create an IPsec tunnel. If you want to block this, you have to block UDP port 500 and ip protocol 47 (beware, however, that PPTP for example also is making use of ip protocol 47)…

2 dst-address=:500 protocol=udp action=reject

3 dst-address=:47 protocol=tcp action=reject

is this enough ?

dst-address=:47 protocol=tcp action=reject

Sorry to be picky, but the line above is one of the most common mistakes when working with IPsec (or PPTP) and firewalling.
IPsec/PPTP is using different ip protocol(s), not tcp ports!
Apart from that (was wrong in my first post) ip protocol 47 (GRE) is for PPTP, for IPsec you need ip protocols 50/51. So the rule above should be

/ip firewall rule input add in-interface=ether1 protocol=ipsec-ah action=reject
/ip firewall rule input add in-interface=ether1 protocol=ipsec-esp action=reject

Replace the interface name (ether1 in my example) according to you setup…

thank you very much, I will change it to this.

I am on another prob…

on the

ip firewall rule forward

I use the limit connection to limit the maximum connection of the mangled traffic to 150.
But then we need to limit also the OVERALL max amount of connections per user, since they can have viruses or other applications opening thousands and thousands of connections.
for each user I put an extra rule, just after the p2p lilmit to 150, saying max connection to 400.

how do you do it ? you dont have problems of amount of connection on your router or people with virus etc…

Sorry gianluca, we are mostly using RouterOS for wireless point-to-point applications, so I don’t have much experience with traffic shaping…

many thanks again anyway

I received again on the log

oct/27/2004 15:05:50 peer not configured
oct/27/2004 15:05:54 received ISAKMP packet from 82.135.2.123:500, phase 1, Identity Protection
oct/27/2004 15:05:54 peer not configured
oct/27/2004 15:05:59 received ISAKMP packet from 194.176.44.209:500, phase 1, Identity Protection
oct/27/2004 15:05:59 peer not configured
oct/27/2004 15:06:00 received ISAKMP packet from 194.176.44.209:500, phase 1, Identity Protection
oct/27/2004 15:06:00 peer not configured
oct/27/2004 15:06:02 received ISAKMP packet from 82.135.2.123:500, phase 1, Identity Protection
oct/27/2004 15:06:02 peer not configured
oct/27/2004 15:06:02 received ISAKMP packet from 194.176.44.209:500, phase 1, Identity Protection
oct/27/2004 15:06:02 peer not configured
oct/27/2004 15:06:06 received ISAKMP packet from 194.176.44.209:500, phase 1, Identity Protection
oct/27/2004 15:06:06 peer not configured
oct/27/2004 15:06:14 received ISAKMP packet from 194.176.44.209:500, phase 1, Identity Protection
oct/27/2004 15:06:14 peer not configured
oct/27/2004 15:06:18 received ISAKMP packet from 82.135.2.123:500, phase 1, Identity Protection
oct/27/2004 15:06:18 peer not configured
oct/27/2004 15:06:31 received ISAKMP packet from 194.176.44.209:500, phase 1, Identity Protection
oct/27/2004 15:06:31 peer not configured
oct/27/2004 15:06:50 received ISAKMP packet from 82.135.2.123:500, phase 2, Informational
oct/27/2004 15:06:50 unexpected Informational exchange (remote unknown)
oct/27/2004 15:07:03 received ISAKMP packet from 194.176.44.209:500, phase 2, Informational
oct/27/2004 15:07:03 unexpected Informational exchange (remote unknown)
oct/27/2004 15:18:18 received ISAKMP packet from 82.135.2.123:500, phase 1, Identity Protection
oct/27/2004 15:18:18 peer not configured
oct/27/2004 15:18:19 received ISAKMP packet from 82.135.2.123:500, phase 1, Identity Protection
oct/27/2004 15:18:19 peer not configured
oct/27/2004 15:18:21 received ISAKMP packet from 82.135.2.123:500, phase 1, Identity Protection
oct/27/2004 15:18:21 peer not configured
oct/27/2004 15:18:25 received ISAKMP packet from 82.135.2.123:500, phase 1, Identity Protection
oct/27/2004 15:18:25 peer not configured
oct/27/2004 15:18:33 received ISAKMP packet from 82.135.2.123:500, phase 1, Identity Protection
oct/27/2004 15:18:33 peer not configured
oct/27/2004 15:18:49 received ISAKMP packet from 82.135.2.123:500, phase 1, Identity Protection
oct/27/2004 15:18:49 peer not configured
oct/27/2004 15:19:10 received ISAKMP packet from 82.135.2.123:500, phase 2, Informational
oct/27/2004 15:19:10 unexpected Informational exchange (remote unknown)


and the input rule you gave me didn’t take any packet, I still have the counters on 0

?

My post above didn’t contain all the rules - just the correction for protocol 47 instead of tcp port 47…

The log messages you see concern ISAKMP (“Internet Security Association and Key Management Protocol”), which is used to establish and manage so-called “Security Associations” between routers wanting to build an IPsec tunnel (sorry to experts for somewhat simplified description ).

ISAKMP usually is transported over UDP port 500, so to filter this out you have to add

/ip firewall rule input add in-interface=ether1 protocol=udp src-port=500 action=reject

again correcting the interface name for your situation.

i think action drop would be better

Indeed. That’s the sort of thing you get when you “just” try to correct something - the reject was in the original post which I tried to correct …

many many thanks to you both

BUT justto be sure, I post it all …

2 in-interface=public protocol=ipsec-ah action=drop log=yes

3 in-interface=public protocol=ipsec-esp action=drop log=yes

4 src-address=:500 in-interface=public protocol=udp action=drop

is this enough and correct ?

Looks good to me…

I have to thank you a lot
talk to you on another subject soon
bye
Gianluca

now I receive this on my log
a part of course is drpped by the input rule, but there is still another part (ISKAM) which doen’s mach my input rules
nov/06/2004 01:43:03 input->DROP, in:public, out:(local), src-mac 00:04:de:69:e8:a8, prot UDP,
218.186.80.250:500->217.172.x.x:500, len 244 >
nov/06/2004 01:43:05 input->DROP, in:public, out:(local), src-mac 00:04:de:69:e8:a8, prot UDP,
218.186.80.250:500->217.172.x.x:500, len 244 >
nov/06/2004 01:43:09 input->DROP, in:public, out:(local), src-mac 00:04:de:69:e8:a8, prot UDP,
218.186.80.250:500->217.172.x.x:500, len 244 >
nov/06/2004 01:43:17 input->DROP, in:public, out:(local), src-mac 00:04:de:69:e8:a8, prot UDP,
218.186.80.250:500->217.172.x.x:500, len 244 >
nov/06/2004 01:43:34 input->DROP, in:public, out:(local), src-mac 00:04:de:69:e8:a8, prot UDP,
218.186.80.250:500->217.172.x.x:500, len 244 >
nov/06/2004 01:44:06 input->DROP, in:public, out:(local), src-mac 00:04:de:69:e8:a8, prot UDP,
218.186.80.250:500->217.172.x.x:500, len 84 >
nov/06/2004 04:31:42 received ISAKMP packet from 200.11.68.178:11539, phase 1, Identity Protection
nov/06/2004 04:31:42 peer not configured
nov/06/2004 04:31:43 received ISAKMP packet from 200.11.68.178:11539, phase 1, Identity Protection
nov/06/2004 04:31:43 peer not configured
nov/06/2004 04:31:45 received ISAKMP packet from 200.11.68.178:11539, phase 1, Identity Protection
nov/06/2004 04:31:45 peer not configured
nov/06/2004 04:31:49 received ISAKMP packet from 200.11.68.178:11539, phase 1, Identity Protection
nov/06/2004 04:31:49 peer not configured
nov/06/2004 04:31:57 received ISAKMP packet from 200.11.68.178:11539, phase 1, Identity Protection
nov/06/2004 04:31:57 peer not configured
nov/06/2004 04:32:14 received ISAKMP packet from 200.11.68.178:11539, phase 1, Identity Protection
nov/06/2004 04:32:14 peer not configured
nov/06/2004 04:32:44 received ISAKMP packet from 200.11.68.178:11539, phase 2, Informational
nov/06/2004 04:32:44 unexpected Informational exchange (remote unknown)
nov/06/2004 06:44:41 input->DROP, in:public, out:(local), src-mac 00:04:de:69:e8:a8, prot UDP,
213.35.219.89:500->217.172.x.x:500, len 548 >
nov/06/2004 06:44:47 input->DROP, in:public, out:(local), src-mac 00:04:de:69:e8:a8, prot UDP,
213.35.219.89:500->217.172.x.x:500, len 548 >
nov/06/2004 06:44:55 input->DROP, in:public, out:(local), src-mac 00:04:de:69:e8:a8, prot UDP,
213.35.219.89:500->217.172.x.x:500, len 548 >
nov/06/2004 06:45:11 input->DROP, in:public, out:(local), src-mac 00:04:de:69:e8:a8, prot UDP,
213.35.219.89:500->217.172.x.x:500, len 548 >
nov/06/2004 06:45:43 input->DROP, in:public, out:(local), src-mac 00:04:de:69:e8:a8, prot UDP,
213.35.219.89:500->217.172.x.x:500, len 84 >
nov/06/2004 07:00:50 input->DROP, in:public, out:(local), src-mac 00:04:de:69:e8:a8, prot UDP,

You should add one more rule:
dst-address=:500 in-interface=public protocol=udp action=drop

Eugene

thanks

We had this attack a lot on our routers with global external ip.

It stopped completely, when we uninstalled the ip-security package, which we had no use for.

Never leave any packages in the routers you don’t need !

Kim C

many thanks
I disable it for the moment (do not know how to delete)

we have it but not using …

probably in next version it is sufficient not to load and that’s all

many thanks again