cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

Beginner

Crypto invalid SPI attacks from different internet ip addresses


Hi,

 

well finally i had to come here and post my problem as i have been working on it since long but couldn't understand why this happening. from past few days, i have been receiving the following logs on my core router. it looks like some kind of attack as the same ip addresses were used to cause fragment table over flow few months ago.

 

here are the logs:

 

Sep 9 19:41:01.602 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=93.248.110.50, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan125
Sep 9 20:05:06.117 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=GigabitEthernet0/0
Sep 9 20:07:20.912 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.244.124.159, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan5
Sep 9 20:08:24.408 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.33, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=GigabitEthernet0/0
Sep 9 20:13:30.323 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.32, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=GigabitEthernet0/0
Sep 9 20:15:42.206 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=65.194.58.142, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan5
Sep 9 20:21:26.385 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=27.246.58.122, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan75
Sep 10 01:49:11.332 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x20C96B00(550071040), srcaddr=182.184.108.16, input interface=GigabitEthernet0/0
Sep 10 10:39:29.699 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x5EF172B8(1592881848), srcaddr=27.230.58.228, input interface=GigabitEthernet0/0
Sep 10 16:45:33.730 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x37EA7053(938111059), srcaddr=27.246.58.178, input interface=GigabitEthernet0/0

 

these ip addresses causing invalid SPI errors even on those interfaces where i haven't enabled ISAKMP.

 

what are those? is this some kind of attack? are they trying to bring my router down or what? or trying to hijack vpn sessions?

 

or is the preshared key of my site to site vpn peers has been hacked?

Everyone's tags (6)
Who Me Too'd this topic