Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1154
Views
0
Helpful
6
Replies

RV042 reports tunnel disconnection without connection for foreign IP, Security issue?

ts
Level 1
Level 1

‎12-10-2014 04:38 AM

Dear all,

we are recently working with a RV042 router, with VPN group tunnel (connectig throw shrew VPN). Last days router is logging disconnections like this ("[XXX]" text replaced for security reasons)

 

Dec  9 17:02:58 2014 XXX VPN Log: (grpips0)[72] [XXX].[XXX].[XXX].0/24=== ...113.240.173.58===?: [Tunnel Disconnected] instance with peer 113.240.173.58 {isakmp=#0/ipsec=#0}

But NO RELATED "connections" (apart from our own controled connection/disconnection) is reported previously. Is this a security issue/breach?

(The foreign IP was left clear so if anyone knows about that particular IP, can make a comment.)

 

Thanks in advance. Regards, Juan.

 

 

Labels:
0 Helpful
6 Replies 6

Zach S
Level 1
Level 1

‎12-10-2014 04:45 AM

Juan,

Unless you have someone telecommuting from central China, then it's likely a breach. You may want to flatout block that IP address while you investigate. See below for a link to a WHOIS search on the IP address.

WHOIS Info: https://isc.sans.edu/ipinfo.html?ip=218.75.199.50&update=yes

0 Helpful

ts
Level 1
Level 1
In response to Zach S

‎12-10-2014 04:50 AM

Thanks Zach,

 

but IPs continue changing (3 times, 3 different IPs, on using google belonged to AT&T???). What else can I do apart from blocking IPs (than will eventually change every time)?

 

Regards, Juan.

0 Helpful

Zach S
Level 1
Level 1
In response to ts

‎12-10-2014 05:02 AM

Juan,

The unfortunate nature of the internet is just what you said, an attacker can pretty easily change their route to your network and obscure their identity with proxies. You could switch to a whitelist approach at your boundary, as in allow only your known IP's and block everything else, or get a firewall for boundary that has a bit more intelligent controls. The Cisco ASA for example doesn't allow incoming connections from unsecure (internet) sources, unless the request originated from a higher security port (your internal network). 

0 Helpful

ts
Level 1
Level 1
In response to Zach S

‎12-10-2014 05:13 AM

Zach,

I will try to use that approach while using dynamic IPs to connect to VPN (cannot build an stable whitelist, and this can lead to connection lost in the near future until new IP is registered in the remote router).

 

What I do not understand is:

  • router logs a disconnection without a previous connection
  • no other activity is detected on the VPN (perhaps only spying?)
  • when I disconnect, two logs are generated (in order of appearance)
    • Dec [xxx] [xxx]:[xxx]:[xxx] 2014 3EFF-3196 VPN Log: (grpips0)[73] 192.168.2.0/24=== ...[xxx].[xxx].[xxx].[xxx]===?: [Tunnel Disconnected] instance with peer [xxx].[xxx].[xxx].[xxx]{isakmp=#0/ipsec=#0}
      Dec [xxx] [xxx]:[xxx]:[xxx]2014 3EFF-3196 VPN Log: (grpips0)[73] [xxx].[xxx].[xxx].0/24=== ...[xxx].[xxx].[xxx].[xxx]===? #220: [Tunnel Established] ISAKMP SA established
  • when foreign IP disconnects, only one is generated (e.g. whitout #220)

Does this have an explanation?

 

Thanks again, Juan.

0 Helpful

Zach S
Level 1
Level 1
In response to ts

‎12-10-2014 05:31 AM

Juan,

Unfortunately I could only speculate on that behavior. However you could probably get a bit more lucky on the Security section of the Cisco forums, versus Small Business. That's where the CCNP and CCIE Security gurus hang out.

0 Helpful

ts
Level 1
Level 1
In response to ts

‎12-10-2014 05:32 AM

Thank you Zach,

 

I'll try that forum as well.

 

Regards, Juan.

0 Helpful
Customers Also Viewed These Support Documents