cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Please be advised, the GuideMe Wizard is no longer available on the Small Business Support Community. For search capability please use the community search field to find content related to Cisco Small Business documents, videos, and discussions.
823
Views
0
Helpful
5
Replies
Highlighted
Beginner

IPSec attack on RV042

I just bought 2 RV042 to setup as gateway-to-gateway VPN connection.

One of those got the unknown IP address on the log keeps connecting to the router via IPSec port 500 all the time. I tried to create the firewall rule to deny this IP address but it seems doesn't work.

 

Here's the log:

Sep 30 13:06:57 2017 Connection Accepted UDP 57.73.28.18:500->xx.xx.xx.xx:500 on MAC=00:2UDP

 

Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: received Vendor ID payload [RFC 3947]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: received Vendor ID payload [RFC 3947]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: initial Main Mode message received on xx.xx.xx.xx:500 but no connection has been authorized with policy=PSK

Everyone's tags (3)
5 REPLIES 5
VIP Advisor

Re: IPSec attack on RV042

Hello,

Not sure how did you create that but should work.

The problem per se is simple to understand. Someone saw your UDP 500 port openned and gave it a try.

 Try to create in Service Management a specific UDP port 500 and add it on the rule with your IP as destination and the attacker IP as source.

Beginner

Re: IPSec attack on RV042

I tried to create the rule as you mentioned but it still no luck. That IP keeps attacking 500 port.

 

NTL.png

VIP Advisor

Re: IPSec attack on RV042

Hi,

Make sure your firewall is enable:

 Firewall > General

Take a look here for more detail

https://sbkb.cisco.com/CiscoSB/GetArticle.aspx?docid=dc6301cd85194d7f967710344f16f990_General_Firewall_Setting_on_RV042_VPN_Router.xml

Beginner

Re: IPSec attack on RV042

Hi Flavio Miranda,

 

Thanks for your help.

 

I'm sure that the firewall is enabled but it still doesn't work.

I'm still using firmware version v4.2.2.08, is it a bug about the firewall rule on the firmware?

And I noticed the strange interface "MAC=00:2UDP"where the connection accepted that IP address.

VIP Advisor

Re: IPSec attack on RV042

If you were using ASA would be easy by blocking at control plane level  but RV042 I don't think is possible.

 The problem is this, this kind of traffic is forwarded to control plane, not data plane, that's why normal acl does not work.

 But you don't need to worry. As long as the other side does not have your PSK this VPN will never be established.