09-10-2018 08:20 AM - edited 03-12-2019 05:30 AM
Hi,
well finally i had to come here and post my problem as i have been working on it since long but couldn't understand why this happening. from past few days, i have been receiving the following logs on my core router. it looks like some kind of attack as the same ip addresses were used to cause fragment table over flow few months ago.
here are the logs:
Sep 9 19:41:01.602 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=93.248.110.50, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan125
Sep 9 20:05:06.117 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=GigabitEthernet0/0
Sep 9 20:07:20.912 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.244.124.159, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan5
Sep 9 20:08:24.408 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.33, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=GigabitEthernet0/0
Sep 9 20:13:30.323 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.32, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=GigabitEthernet0/0
Sep 9 20:15:42.206 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=65.194.58.142, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan5
Sep 9 20:21:26.385 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=27.246.58.122, prot=50, spi=0x47455420(1195725856), srcaddr=144.217.181.56, input interface=Vlan75
Sep 10 01:49:11.332 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x20C96B00(550071040), srcaddr=182.184.108.16, input interface=GigabitEthernet0/0
Sep 10 10:39:29.699 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x5EF172B8(1592881848), srcaddr=27.230.58.228, input interface=GigabitEthernet0/0
Sep 10 16:45:33.730 PST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=29.240.124.18, prot=50, spi=0x37EA7053(938111059), srcaddr=27.246.58.178, input interface=GigabitEthernet0/0
these ip addresses causing invalid SPI errors even on those interfaces where i haven't enabled ISAKMP.
what are those? is this some kind of attack? are they trying to bring my router down or what? or trying to hijack vpn sessions?
or is the preshared key of my site to site vpn peers has been hacked?
09-10-2018 11:03 AM
09-10-2018 11:18 AM
09-10-2018 11:11 PM
09-11-2018 01:13 AM
10-02-2018 05:25 AM
can we prevent this attack?
10-15-2018 01:33 PM
Same logs Same IP address and everything. Looks like an attacker to me.
10-15-2018 02:45 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide