Re: IPSec attack on RV042

voravatx · ‎09-29-2017

I just bought 2 RV042 to setup as gateway-to-gateway VPN connection.

One of those got the unknown IP address on the log keeps connecting to the router via IPSec port 500 all the time. I tried to create the firewall rule to deny this IP address but it seems doesn't work.

Here's the log:

Sep 30 13:06:57 2017 Connection Accepted UDP 57.73.28.18:500->xx.xx.xx.xx:500 on MAC=00:2UDP

Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: received Vendor ID payload [RFC 3947]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: received Vendor ID payload [RFC 3947]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
Sep 30 13:16:31 2017 VPN Log packet from 57.73.28.18:500: initial Main Mode message received on xx.xx.xx.xx:500 but no connection has been authorized with policy=PSK

Flavio Miranda · ‎09-30-2017

Hello,

Not sure how did you create that but should work.

The problem per se is simple to understand. Someone saw your UDP 500 port openned and gave it a try.

Try to create in Service Management a specific UDP port 500 and add it on the rule with your IP as destination and the attacker IP as source.

voravatx · ‎10-01-2017

I tried to create the rule as you mentioned but it still no luck. That IP keeps attacking 500 port.

Flavio Miranda · ‎10-02-2017

Hi,

Make sure your firewall is enable:

Firewall > General

Take a look here for more detail

https://sbkb.cisco.com/CiscoSB/GetArticle.aspx?docid=dc6301cd85194d7f967710344f16f990_General_Firewall_Setting_on_RV042_VPN_Router.xml

voravatx · ‎10-02-2017

Hi Flavio Miranda,

Thanks for your help.

I'm sure that the firewall is enabled but it still doesn't work.

I'm still using firmware version v4.2.2.08, is it a bug about the firewall rule on the firmware?

And I noticed the strange interface "MAC=00:2UDP"where the connection accepted that IP address.

Flavio Miranda · ‎10-02-2017

If you were using ASA would be easy by blocking at control plane level but RV042 I don't think is possible.

The problem is this, this kind of traffic is forwarded to control plane, not data plane, that's why normal acl does not work.

But you don't need to worry. As long as the other side does not have your PSK this VPN will never be established.