Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
2
Replies

SA520 block all vpn tunnels after IKE attack

turboman.bog
Level 1
Level 1

‎10-29-2016 12:28 AM

Hi,

I have a SA520 router running 2.2.0.7 firmware. From a few days ago, I am receiving IKE attempts to connect from an IP (it's owners are claiming that are doing security research). After each of these attempts, all the vpn tunnels are going down and the only option I have to bring them to life is to reset the router.

I've added a firewall rule to drop the incoming traffic from that prefix but without any success. I think that the firewall is only droping the traffic destined to LAN (or DMZ) but it responds to packets addressed to it (like VPN related ones).

Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] INFO:  Anonymous configuration selected for 158.130.6.191[37903].
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] WARNING:  IKEv1 configured,but peer negotiating with IKEv2
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] INFO:  respond new IKE_SA_INIT negotiation: x.x.x.x[500]<=>158.130.6.191[37903]
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] ERROR:  Unknown encryption Algorithm
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] ERROR:  Unknown PRF hash Algorithm
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] ERROR:  IKEV2: no suitable proposalfound
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] ERROR:  failed to get valid proposal.
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] ERROR:  failed to process packet.
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] NOTIFY:  sending notification error

Site-to-site VPN details
All Tunnels:

0/4

Firewall rules:

Status From Zone To Zone Service Action Source Hosts Destination Hosts Local Server Internet Destination Log
Enabled WAN LAN ANY BLOCK always 158.130.0.1 - 158.130.255.254 WAN1 Always
Enabled WAN LAN IPSEC-UDP-ENCAP BLOCK always 158.130.0.1 - 158.130.255.254 WAN1 Always

Is there anything to do to avoid this behavior? Have I missconfigured something or it's (another) bug with this router?

Thanks,

Bogdan

2 people had this problem
Labels:
0 Helpful
2 Replies 2

Michael Tremmel
Level 1
Level 1

‎11-06-2016 08:35 AM

I too have had the same problem with that IP address I also have problems with another address I cannot seem to get the router to ignore traffic from a specific IP

Sun Nov 06 10:36:16 2016 (GMT -0500): [Cisco] [IKE] INFO:  Using IPsec SA configuration: 192.168.2.0/24<->192.168.7.0/24
Sun Nov 06 10:36:16 2016 (GMT -0500): [Cisco] [IKE] INFO:  IPsec-SA established: ESP/Tunnel 207.255.193.157->72.28.195.187 with spi=203119484(0xc1b5b7c)
Sun Nov 06 10:36:16 2016 (GMT -0500): [Cisco] [IKE] INFO:  IPsec-SA established: ESP/Tunnel 72.28.195.187->207.255.193.157 with spi=136303542(0x81fd3b6)
Sun Nov 06 10:36:16 2016 (GMT -0500): [Cisco] [IKE] INFO:  IPsec-SA expired: ESP/Tunnel 72.28.195.187->207.255.193.157 with spi=49606636(0x2f4efec)
Sun Nov 06 10:36:16 2016 (GMT -0500): [Cisco] [IKE] INFO:  IPsec-SA expired: ESP/Tunnel 207.255.193.157->72.28.195.187 with spi=168692346(0xa0e0a7a)
Sun Nov 06 10:55:13 2016 (GMT -0500): [Cisco] [IKE] INFO:  Anonymous configuration selected for 52.213.4.155[783].
Sun Nov 06 10:55:13 2016 (GMT -0500): [Cisco] [IKE] WARNING:  IKEv1 configured,but peer negotiating with IKEv2
Sun Nov 06 10:55:13 2016 (GMT -0500): [Cisco] [IKE] INFO:  respond new IKE_SA_INIT negotiation: 72.28.195.187[500]<=>52.213.4.155[783]
Sun Nov 06 10:55:13 2016 (GMT -0500): [Cisco] [IKE] ERROR:  invalid DH group 19
Sun Nov 06 10:55:13 2016 (GMT -0500): [Cisco] [IKE] ERROR:  Error in Saving partner's KE
Sun Nov 06 10:55:13 2016 (GMT -0500): [Cisco] [IKE] ERROR:  failed to process packet.

0 Helpful

Michael Tremmel
Level 1
Level 1

‎11-06-2016 10:01 AM

if you send an email to research-scan@lists.seas.upenn.edu with your static ip's they will blacklist them from future scans. I too have been unable to block traffic from VPN connection attempts. They only way to mitigate the traffic is to contact the user and ask them to stop scanning your network. The university of Michigan is also one of the users that do this. I now have a user utilizing an amazon web services IP of 52.213.4.155 doing the same thing. I'm not sure why this router stops all traffic until it is rebooted. It is defiantly an issue with the device. All of the offenders seem to be using a very powerful software called Zmap to scan the entire Ipv4 Space for security vulnerabilities.

0 Helpful
Customers Also Viewed These Support Documents