Community discussions

MikroTik App
 
rjow2021
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Nov 19, 2020 6:26 pm

Failed IPSEC connection every morning from 216.218.206.106

Wed Aug 18, 2021 12:45 pm

I have a failed IPSec connection in the log every morning...

respond new phase 1 (Identity Protection): WAN IP[500]<=>216.218.206.106[58955]
216.218.206.106 failed to get valid proposal
216.218.206.106 failed to pre-process ph1 packet (side: 1,status 1).
216.218.206.106 phase1 negotiation failed.

The IP belongs to The Shadow Server Foundation.

Do you suggest additional precautions here?

Below is the settings for the RB4011. . .

# aug/18/2021 10:26:57 by RouterOS 6.48.3
# software id = FW5U-5K9I
#
# model = RB4011iGS+
# serial number = D4455667773333
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
/interface vlan
add interface=ether5 name=ether5-911 vlan-id=911
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=ether5-911 \
    keepalive-timeout=60 name=pppoe-wan user=\
    1234567890@broadband.com
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=6 name=AdBlock value="'192.168.50.50'"
/ip ipsec policy group
add name=vpn
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn
/ip ipsec peer
add exchange-mode=ike2 name=vpn passive=yes profile=vpn
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip pool
add name=dhcp ranges=192.168.50.100-192.168.50.254
add name=pool1-L2TP_users ranges=10.0.50.2-10.0.50.20
add name=vpn ranges=10.22.22.10-10.22.22.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1h name=defconf
/ip ipsec mode-config
add address-pool=vpn name=vpn
/ppp profile
add idle-timeout=1m local-address=10.0.50.1 name=profile1-L2TP_users \
    remote-address=pool1-L2TP_users session-timeout=0s use-encryption=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=pppoe-wan list=WAN
/ip address
add address=192.168.50.1/24 comment=defconf interface=bridge network=\
    192.168.50.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=23h59m59s update-time=no
/ip dhcp-client
add comment=defconf interface=ether5-911 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.50.3 client-id=1:84:d8:1b:59:0:92 mac-address=\
    84:D8:1B:59:00:92 server=defconf
add address=192.168.50.12 client-id=1:78:24:af:82:df:b3 dhcp-option=\
    AdBlock mac-address=78:24:AF:82:DF:B3 server=defconf
add address=192.168.50.11 client-id=1:78:24:af:82:df:b2 dhcp-option=\
    AdBlock mac-address=78:24:AF:82:DF:B2 server=defconf
add address=192.168.50.58 dhcp-option=AdBlock mac-address=\
    10:CE:A9:50:87:C0 server=defconf
add address=192.168.50.15 client-id=1:0:18:dd:25:f:d1 mac-address=\
    00:18:DD:25:0F:D1 server=defconf
add address=192.168.50.16 client-id=1:0:18:dd:25:12:1e mac-address=\
    00:18:DD:25:12:1E server=defconf
add address=192.168.50.2 client-id=1:8:55:31:26:f8:1d mac-address=\
    08:55:31:26:F8:1D server=defconf
add address=192.168.50.56 dhcp-option=AdBlock mac-address=\
    C8:3A:6B:F6:74:D4 server=defconf
add address=192.168.50.63 client-id=1:3c:5c:c4:43:a:14 dhcp-option=\
    AdBlock mac-address=3C:5C:C4:43:0A:14 server=defconf
add address=192.168.50.44 client-id=1:b4:a3:82:f:6:1b mac-address=\
    B4:A3:82:0F:06:1B server=defconf
add address=192.168.50.43 client-id=1:b4:a3:82:f:5:da mac-address=\
    B4:A3:82:0F:05:DA server=defconf
add address=192.168.50.42 client-id=1:b4:a3:82:f:7:29 mac-address=\
    B4:A3:82:0F:07:29 server=defconf
add address=192.168.50.18 client-id=1:74:da:88:32:c1:bf mac-address=\
    74:DA:88:32:C1:BF server=defconf
add address=192.168.50.17 client-id=1:74:da:88:14:2d:b9 mac-address=\
    74:DA:88:14:2D:B9 server=defconf
add address=192.168.50.5 client-id=1:60:32:b1:97:a4:86 mac-address=\
    60:32:B1:97:A4:86 server=defconf
add address=192.168.50.4 client-id=1:60:32:b1:97:a4:70 mac-address=\
    60:32:B1:97:A4:70 server=defconf
add address=192.168.50.6 client-id=1:60:32:b1:d1:63:40 mac-address=\
    60:32:B1:D1:63:40 server=defconf
add address=192.168.50.51 client-id=1:ae:b6:6a:cd:4a:88 dhcp-option=\
    AdBlock mac-address=AE:B6:6A:CD:4A:88 server=defconf
add address=192.168.50.52 client-id=1:8e:35:76:45:bd:c4 dhcp-option=\
    AdBlock mac-address=8E:35:76:45:BD:C4 server=defconf
add address=192.168.50.54 client-id=1:8c:83:e1:b:f8:94 dhcp-option=\
    AdBlock mac-address=8C:83:E1:0B:F8:94 server=defconf
add address=192.168.50.59 dhcp-option=AdBlock mac-address=\
    40:06:A0:A7:CD:E0 server=defconf
add address=192.168.50.62 client-id=1:a0:d0:dc:d4:b0:b dhcp-option=\
    AdBlock mac-address=A0:D0:DC:D4:B0:0B server=defconf
add address=192.168.50.61 client-id=1:38:f7:3d:a9:c4:dc dhcp-option=\
    AdBlock mac-address=38:F7:3D:A9:C4:DC server=defconf
add address=192.168.50.64 client-id=1:0:4:4b:b1:da:f9 comment=shield_TV \
    dhcp-option=AdBlock mac-address=00:04:4B:B1:DA:F9 server=defconf
add address=192.168.50.60 client-id=1:64:16:66:8f:d4:46 dhcp-option=\
    AdBlock mac-address=64:16:66:8F:D4:46 server=defconf
add address=192.168.50.65 client-id=1:8c:83:e1:c4:e2:a8 dhcp-option=\
    AdBlock mac-address=8C:83:E1:C4:E2:A8 server=defconf
add address=192.168.50.41 client-id=1:0:2a:2a:4b:8d:a8 mac-address=\
    00:2A:2A:4B:8D:A8 server=defconf
add address=192.168.50.67 client-id=1:5c:a3:9d:2d:a8:ad comment=small_TV \
    dhcp-option=AdBlock mac-address=5C:A3:9D:2D:A8:AD server=defconf
add address=192.168.50.57 client-id=1:d6:2d:76:4e:aa:21 dhcp-option=\
    AdBlock mac-address=D6:2D:76:4E:AA:21 server=defconf
add address=192.168.50.53 client-id=1:68:3e:26:38:96:45 dhcp-option=\
    AdBlock mac-address=68:3E:26:38:96:45 server=defconf
add address=192.168.50.50 client-id=1:0:15:17:dd:cf:ae dhcp-option=\
    AdBlock mac-address=00:15:17:DD:CF:AE server=defconf
add address=192.168.50.55 client-id=1:c:c4:7a:42:45:e0 mac-address=\
    0C:C4:7A:42:45:E0 server=defconf
add address=192.168.50.68 client-id=1:24:f5:a2:8c:51:10 dhcp-option=\
    AdBlock mac-address=24:F5:A2:8C:51:10 server=defconf
/ip dhcp-server network
add address=192.168.50.0/24 comment=defconf dns-server=1.1.1.2,1.0.0.2 \
    gateway=192.168.50.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.3,1.0.0.3
/ip dns static
add address=192.168.50.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.22.22.10-10.22.22.20 comment=VPN list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow IPSEC/IKE2 connections" \
    dst-port=500,4500 log=yes log-prefix=IPSEC/IKE2 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="Accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=\
    "Masquerade VPN traffic so devices see connections made from router IP" \
    log=yes src-address=10.22.22.10-10.22.22.20
add action=dst-nat chain=dstnat comment="emby forwarding" dst-port=8096 \
    in-interface=pppoe-wan log=yes log-prefix=emby_CONNECT protocol=tcp \
    to-addresses=192.168.50.11 to-ports=8096
add action=dst-nat chain=dstnat comment="channels forwarding" dst-port=8089 \
    in-interface=pppoe-wan log=yes log-prefix=channels protocol=tcp \
    to-addresses=192.168.50.11 to-ports=8089
/ip ipsec identity
add auth-method=digital-signature certificate="Home server" comment=\
    "Home client1" generate-policy=port-strict match-by=certificate \
    mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate=\
    "VPN1"
add auth-method=digital-signature certificate="Home server" comment=\
    "Home client2" generate-policy=port-strict match-by=certificate \
    mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate=\
    "VPN2"
/ip ipsec policy
add dst-address=0.0.0.0/0 group=vpn proposal=vpn src-address=0.0.0.0/0 \
    template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.50.55/32
set ssh disabled=yes port=2369
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=VPN_NAME profile=profile1-L2TP_users service=l2tp
/system clock
set time-zone-name=Europe/London
/system ntp client
set enabled=yes primary-ntp=51.89.151.183 secondary-ntp=178.62.250.107
/system ntp server
set enabled=yes manycast=no multicast=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
karlisi
Member
Member
Posts: 433
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Failed IPSEC connection every morning from 216.218.206.106  [SOLVED]

Wed Aug 18, 2021 1:02 pm

https://www.abuseipdb.com/check/216.218.206.106
You can create blacklist, put it in (and perhaps another abusers later), and drop all connections from blacklist in ip firewall raw prerouting chain
 
rjow2021
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Nov 19, 2020 6:26 pm

Re: Failed IPSEC connection every morning from 216.218.206.106

Wed Aug 18, 2021 1:29 pm

Thanks for your help.

I added this...

/ip firewall address-list
add address=216.218.206.0/24 list=Blacklist
add address=45.33.36.126 list=Blacklist

And this...

/ip firewall raw
add action=drop chain=prerouting comment="drop all in Blacklist!" log=yes \
    log-prefix=BLACKLISTED! src-address-list=Blacklist

I will check tomorrow to see if this works.

EDIT: I have also changed the IP to 216.218.206.0/24 as I have seen 3 other logs with the same IP except the last octet that changes.

Who is online

Users browsing this forum: tangent and 33 guests