Block VPN connection when failed to get valid proposal

KitMikro · Tue Jul 11, 2017 9:54 am

Hi Everyone,

I'm running an L2TP/IPSec VPN, and see different IP's try to connect in my log.

respond new phase 1 (Identity Protection): Mikrotik_IP[500]<=>x.x.x.x[12345]
x.x.x.x failed to get valid proposal.
x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
x.x.x.x phase1 negotiation failed.

I do have a filter rule that add's all IP's to a list connecting to poort 500 and 4500, but the above connection attempt is not added to the list.

chain=input action=add-src-to-address-list protocol=udp src-address=!192.168.0.0/24 address-list=test address-list-timeout=0s src-port=500,1701,4500 log=no

the only thing I could think of was to parse the log and search for the error message, but this seems like unnecessary load on the router.

How do I add the failed connection attempt IP address to a blocklist without parsing the log every minute?

sid5632 · Tue Jul 11, 2017 10:12 am

Should you not be using dst-port rather than src-port?

agomes · Tue Jul 11, 2017 10:04 pm

Also, as IPsec uses UDP, won't the addresslist be filled constantly regardless if the tunnel establishes or not?

KitMikro · Tue Jul 11, 2017 10:52 pm

Also, as IPsec uses UDP, won't the addresslist be filled constantly regardless if the tunnel establishes or not?

True, but the tries come from a specific range 1.2.3.x so I can identify it that way.

I'm still thinking of another way, without port knocking or parsing... will be continued

R1CH · Wed Jul 12, 2017 7:48 pm

The source address is not authenticated with UDP. If you add IPs to a block list based solely on a UDP packet, then you risk your network breaking horribly when someone spoofs a bunch of popular IPs such as DNS servers, Google, Facebook, etc.

Rhoos · Sun Jul 30, 2017 3:07 am

KitMikro, were you able to improve your firewall filter to stop this kind of attacks? I'm also getting them.
Thanks and Best Regards,
Ricardo

KitMikro · Thu Aug 03, 2017 12:59 pm

KitMikro, were you able to improve your firewall filter to stop this kind of attacks? I'm also getting them.
Thanks and Best Regards,
Ricardo

It seems they connect from a range of Ipaddresses like 1.2.3.X so I've added a rule to drop all connections on UDP ports 500 and 4500 from 1.2.3.0/24

Also added a Knock on door rule. It works like this; When you connect on the publicIP on a specific port e.g. 12345. Your IP is added to an address list for 10 seconds. If you connect again on port 54321 within does 10 seconds and your ip is on list 1, you'll be added to list 2. Only list 2 is allowed to connect to ports 500 and 4500.

Rhoos · Fri Aug 04, 2017 12:20 am

KitMikro, were you able to improve your firewall filter to stop this kind of attacks? I'm also getting them.
Thanks and Best Regards,
Ricardo
It seems they connect from a range of Ipaddresses like 1.2.3.X so I've added a rule to drop all connections on UDP ports 500 and 4500 from 1.2.3.0/24

Also added a Knock on door rule. It works like this; When you connect on the publicIP on a specific port e.g. 12345. Your IP is added to an address list for 10 seconds. If you connect again on port 54321 within does 10 seconds and your ip is on list 1, you'll be added to list 2. Only list 2 is allowed to connect to ports 500 and 4500.

Many thanks for your answer KitMikro, I will try to apply this type of rule in my Router.

Saludos, Ricardo !

KitMikro · Fri Aug 04, 2017 5:16 pm

KitMikro, were you able to improve your firewall filter to stop this kind of attacks? I'm also getting them.
Thanks and Best Regards,
Ricardo
It seems they connect from a range of Ipaddresses like 1.2.3.X so I've added a rule to drop all connections on UDP ports 500 and 4500 from 1.2.3.0/24

Also added a Knock on door rule. It works like this; When you connect on the publicIP on a specific port e.g. 12345. Your IP is added to an address list for 10 seconds. If you connect again on port 54321 within does 10 seconds and your ip is on list 1, you'll be added to list 2. Only list 2 is allowed to connect to ports 500 and 4500.
Many thanks for your answer KitMikro, I will try to apply this type of rule in my Router.

Saludos, Ricardo !

Hey Ricardo,

your welcome! If you want to, you can use layer 7 to include some sort of password. If your on a Mac or other Linux based OS you can send a "Knock on door", with the following command

echo -n "SOME_TEXT_FOR_LAYER_7" >/dev/udp/YOUR_VPN_IP/YOUR_PORT_NUMBER

notice, I'm sending the request to an UDP port, not TCP.

also have a look here;

https://wiki.mikrotik.com/wiki/Port_Knocking

Rhoos · Thu Oct 12, 2017 5:04 pm

Thank you very much KitMikro, we will try this method that you recommend us!

StrataNet · Mon Sep 24, 2018 6:05 am

Thanks for the info KitMikro; this works for me too. Below is what I used; handy for those people who don't use ipsec at all:

/ip firewall filter add chain=input protocol=udp dst-port=500,4500 in-interface=WAN action=drop

Pretty blunt code just to drop anything trying to come in on those ports. I can see 9 blocked packets in the last few minutes and no more nasty red ipsec logs

Kamaz · Mon Nov 11, 2019 9:32 pm

Here is solution of our problem
https://github.com/Onoro/Mikrotik

Block VPN connection when failed to get valid proposal

Block VPN connection when failed to get valid proposal

Re: Block VPN connection when failed to get valid proposal

Re: Block VPN connection when failed to get valid proposal

Re: Block VPN connection when failed to get valid proposal

Re: Block VPN connection when failed to get valid proposal

Re: Block VPN connection when failed to get valid proposal

Re: Block VPN connection when failed to get valid proposal

Re: Block VPN connection when failed to get valid proposal

Re: Block VPN connection when failed to get valid proposal

Re: Block VPN connection when failed to get valid proposal

Re: Block VPN connection when failed to get valid proposal

Re: Block VPN connection when failed to get valid proposal

Who is online