MikroTik

Community discussions
https://forum.mikrotik.com/

Ipsec error in Log

https://forum.mikrotik.com/viewtopic.php?t=148063

Page 1 of 1

Ipsec error in Log

Posted: Mon Apr 29, 2019 10:36 am
by 3liswaid
Dears,
kindly your support to explain the below in the log
Code: Select all
03:39:34 ipsec,info respond new phase 1 (Identity Protection): "MY IP"[500]<=>216.218.206.118[36735] 
03:39:34 ipsec,error 216.218.206.118 failed to get valid proposal. 
03:39:34 ipsec,error 216.218.206.118 failed to pre-process ph1 packet (side: 1, status 1). 
03:39:34 ipsec,error 216.218.206.118 phase1 negotiation failed. 
06:27:58 pptp,info TCP connection established from 185.156.177.153 
06:27:58 pptp,info TCP connection established from 185.156.177.153 
06:27:58 pptp,info TCP connection established from 185.156.177.153

is it an attack?
and how can i stop it?

Re: Ipsec error in Log

Posted: Mon Apr 29, 2019 10:44 am
by 3liswaid
Also what is the TCP connection established towards my router?

Re: Ipsec error in Log

Posted: Mon Apr 29, 2019 1:32 pm
by karlisi
Also what is the TCP connection established towards my router?
These are connections to your PPTP server. 'TCP connection established' not necessarily means someone was able to get in, it means someone established connection and was able to begin the authentication process.
The same for ipsec errors, although in this case it is clearly visible, attacker failed to authenticate.
If your VPN servers are wide open to whole world, you can't avoid such attacks. If VPN clients have fixed IPs use whitelists, for dynamic IPs use port knocking (search this forum about it). Or use very strong passwords and VPN auditing.

Re: Ipsec error in Log

Posted: Mon Apr 29, 2019 2:46 pm
by 3liswaid
Also what is the TCP connection established towards my router?
These are connections to your PPTP server. 'TCP connection established' not necessarily means someone was able to get in, it means someone established connection and was able to begin the authentication process.
The same for ipsec errors, although in this case it is clearly visible, attacker failed to authenticate.
If your VPN servers are wide open to whole world, you can't avoid such attacks. If VPN clients have fixed IPs use whitelists, for dynamic IPs use port knocking (search this forum about it). Or use very strong passwords and VPN auditing.
thank you for your response.
i don't use IPSEC at all how can i disable it?
for PPTP i will do as you said

thanks

Re: Ipsec error in Log  [SOLVED]

Posted: Mon Apr 29, 2019 3:27 pm
by karlisi
i don't use IPSEC at all how can i disable it?
Review firewall input chain, perhaps you have unnecessary ports or protocols open. Best practice is to close all, except only those you are using.
All times are UTC+03:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/