10-29-2016 12:28 AM
Hi,
I have a SA520 router running 2.2.0.7 firmware. From a few days ago, I am receiving IKE attempts to connect from an IP (it's owners are claiming that are doing security research). After each of these attempts, all the vpn tunnels are going down and the only option I have to bring them to life is to reset the router.
I've added a firewall rule to drop the incoming traffic from that prefix but without any success. I think that the firewall is only droping the traffic destined to LAN (or DMZ) but it responds to packets addressed to it (like VPN related ones).
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] INFO: Anonymous configuration selected for 158.130.6.191[37903].
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] WARNING: IKEv1 configured,but peer negotiating with IKEv2
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] INFO: respond new IKE_SA_INIT negotiation: x.x.x.x[500]<=>158.130.6.191[37903]
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] ERROR: Unknown encryption Algorithm
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] ERROR: Unknown PRF hash Algorithm
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] ERROR: IKEV2: no suitable proposalfound
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] ERROR: failed to get valid proposal.
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] ERROR: failed to process packet.
Fri Oct 28 22:01:55 2016 (GMT +0300): [Cisco] [IKE] NOTIFY: sending notification error
Site-to-site VPN details | ||
All Tunnels: |
0/4 |
Firewall rules:
Status | From Zone | To Zone | Service | Action | Source Hosts | Destination Hosts | Local Server | Internet Destination | Log |
Enabled | WAN | LAN | ANY | BLOCK always | 158.130.0.1 - 158.130.255.254 | WAN1 | Always |
Enabled | WAN | LAN | IPSEC-UDP-ENCAP | BLOCK always | 158.130.0.1 - 158.130.255.254 | WAN1 | Always |
Is there anything to do to avoid this behavior? Have I missconfigured something or it's (another) bug with this router?
Thanks,
Bogdan
11-06-2016 08:35 AM
I too have had the same problem with that IP address I also have problems with another address I cannot seem to get the router to ignore traffic from a specific IP
Sun Nov 06 10:36:16 2016 (GMT -0500): [Cisco] [IKE] INFO: Using IPsec SA configuration: 192.168.2.0/24<->192.168.7.0/24
Sun Nov 06 10:36:16 2016 (GMT -0500): [Cisco] [IKE] INFO: IPsec-SA established: ESP/Tunnel 207.255.193.157->72.28.195.187 with spi=203119484(0xc1b5b7c)
Sun Nov 06 10:36:16 2016 (GMT -0500): [Cisco] [IKE] INFO: IPsec-SA established: ESP/Tunnel 72.28.195.187->207.255.193.157 with spi=136303542(0x81fd3b6)
Sun Nov 06 10:36:16 2016 (GMT -0500): [Cisco] [IKE] INFO: IPsec-SA expired: ESP/Tunnel 72.28.195.187->207.255.193.157 with spi=49606636(0x2f4efec)
Sun Nov 06 10:36:16 2016 (GMT -0500): [Cisco] [IKE] INFO: IPsec-SA expired: ESP/Tunnel 207.255.193.157->72.28.195.187 with spi=168692346(0xa0e0a7a)
Sun Nov 06 10:55:13 2016 (GMT -0500): [Cisco] [IKE] INFO: Anonymous configuration selected for 52.213.4.155[783].
Sun Nov 06 10:55:13 2016 (GMT -0500): [Cisco] [IKE] WARNING: IKEv1 configured,but peer negotiating with IKEv2
Sun Nov 06 10:55:13 2016 (GMT -0500): [Cisco] [IKE] INFO: respond new IKE_SA_INIT negotiation: 72.28.195.187[500]<=>52.213.4.155[783]
Sun Nov 06 10:55:13 2016 (GMT -0500): [Cisco] [IKE] ERROR: invalid DH group 19
Sun Nov 06 10:55:13 2016 (GMT -0500): [Cisco] [IKE] ERROR: Error in Saving partner's KE
Sun Nov 06 10:55:13 2016 (GMT -0500): [Cisco] [IKE] ERROR: failed to process packet.
11-06-2016 10:01 AM
if you send an email to research-scan@lists.seas.upenn.edu with your static ip's they will blacklist them from future scans. I too have been unable to block traffic from VPN connection attempts. They only way to mitigate the traffic is to contact the user and ask them to stop scanning your network. The university of Michigan is also one of the users that do this. I now have a user utilizing an amazon web services IP of 52.213.4.155 doing the same thing. I'm not sure why this router stops all traffic until it is rebooted. It is defiantly an issue with the device. All of the offenders seem to be using a very powerful software called Zmap to scan the entire Ipv4 Space for security vulnerabilities.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide