This script take the IP from this attempt and add it to a block list to prevent multiple login attempt. (Blocked out)
script name: Find_IPSEC_negotian_failed
# Created Jotne 2019 v1.1
# 1.1 made sure "negotiation failed" is at end of line and it contains IP
#
# This script add ip of user who failed IPSEC negotiation to a block list for 24hour
# Schedule the script to run every 5 min
# It should run on all routerOS version
# Find all "negotiation failed" error last 5 min
:local loglist [:toarray [/log find time>([/system clock get time] - 5m) (message~"negotiation failed.\$" || message~"src_ip")]]
# for all error do
:foreach i in=$loglist do={
# find message
:local logMessage [/log get $i message]
# find ip
:local ip [:pick $logMessage 0 [:find $logMessage " "]]
# Add ip to accesslist
/ip firewall address-list add address=$ip list=IPSEC timeout=24h
# Send a message to the log
:log info message="script=IPSEC_failed src_ip=$ip"
}
Create a scheduler that do run the script Find_IPSEC_negotian_failed every 5 min:
/system scheduler add interval=5m name="Find IPSEC" on-event=Find_IPSEC_negotian_failed
/ip firewall filter add action=drop chain=forward comment="Block wrong IPSEC" in-interface=ether1 src-address-list=IPSEC