Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

VPN Security

Locked
 
gradash
newbie
Topic Author
Posts: 33
Joined: Mon Apr 20, 2015 11:44 am

VPN Security

Thu Sep 24, 2015 11:17 am

I often see in logs somebody from USA, China, Korea etc. trying to connect to my vpn, all ipsec negotiations failed, but... how to secure this more ?
for now i drop any ipsec-esp and ipsec-ah connections, except Vpn Allow list..
Top
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:
Contact cdiedrich

Re: VPN Security

Thu Sep 24, 2015 12:30 pm

That's the most secure way - when you always know which peers initiate contact to you.
Additionally, do it for UDP port 500 (IKE) which comes along with IPsec...

-Chris
Top
 
marrold
Member
Member
Posts: 427
Joined: Wed Sep 04, 2013 10:45 am

Re: VPN Security

Thu Sep 24, 2015 4:38 pm

Unfortunately I haven't found a good way to do this with RouterOS alone. Using Certificate Auth will in theory make it incredibly hard to hack, but I'd still like more protection.

One way that would work is syslogging logs to another linux server running Fail2ban, and detecting brute force attempts there. You'd then need a script that adds the IP's to a block list.
Top
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Thu Sep 24, 2015 5:50 pm

Drop everything except whitelist is the right approach. If you need dynamic whitelist you would need to implement port knocking.
Top
 
marrold
Member
Member
Posts: 427
Joined: Wed Sep 04, 2013 10:45 am

Re:

Thu Sep 24, 2015 6:47 pm

Drop everything except whitelist is the right approach. If you need dynamic whitelist you would need to implement port knocking.
Port Knocking is not the right approach. It's a nasty hacky bodge.

The correct approach for VPN servers with roaming clients is to black list repeat offenders.
Top
 
bwbb
just joined
Posts: 12
Joined: Thu Sep 10, 2015 3:32 am

VPN Security

Thu Sep 24, 2015 11:24 pm

You don't need port knocking for dynamic whitelist. Schedule a script that resolves your dynamic host name(s) every so often and updates the IP in your whitelist, and drop all other IPs after that.


Sent from my mobile device.
Top
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Fri Sep 25, 2015 12:01 am

It depends on what side should be dynamic...
Top
 
marrold
Member
Member
Posts: 427
Joined: Wed Sep 04, 2013 10:45 am

Re:

Fri Sep 25, 2015 2:13 am

It depends on what side should be dynamic...
No it doesnt...
Top
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: VPN Security

Fri Sep 25, 2015 10:52 am

Ok,
lets assume you have server side with fixed public ip address and want to protect it. But you want to be able to connect many clients that are changing their ip addresses quite often (mobile phones, laptops...). Dynamic DNS resolving will not provide any help to this scenario. But you can knock the ports by the clients and open the whitelist as necessary immediatelly.
Top
Locked
  4. RouterOS
  5. Beginner Basics