I often see in logs somebody from USA, China, Korea etc. trying to connect to my vpn, all ipsec negotiations failed, but… how to secure this more ?
for now i drop any ipsec-esp and ipsec-ah connections, except Vpn Allow list..
That’s the most secure way - when you always know which peers initiate contact to you.
Additionally, do it for UDP port 500 (IKE) which comes along with IPsec…
-Chris
Unfortunately I haven’t found a good way to do this with RouterOS alone. Using Certificate Auth will in theory make it incredibly hard to hack, but I’d still like more protection.
One way that would work is syslogging logs to another linux server running Fail2ban, and detecting brute force attempts there. You’d then need a script that adds the IP’s to a block list.
Drop everything except whitelist is the right approach. If you need dynamic whitelist you would need to implement port knocking.
Port Knocking is not the right approach. It’s a nasty hacky bodge.
The correct approach for VPN servers with roaming clients is to black list repeat offenders.
You don’t need port knocking for dynamic whitelist. Schedule a script that resolves your dynamic host name(s) every so often and updates the IP in your whitelist, and drop all other IPs after that.
Sent from my mobile device.
It depends on what side should be dynamic…
No it doesnt…
Ok,
lets assume you have server side with fixed public ip address and want to protect it. But you want to be able to connect many clients that are changing their ip addresses quite often (mobile phones, laptops…). Dynamic DNS resolving will not provide any help to this scenario. But you can knock the ports by the clients and open the whitelist as necessary immediatelly.