MikroTik

Community discussions
https://forum.mikrotik.com/

Unaccounted IPSec Errors

https://forum.mikrotik.com/viewtopic.php?t=132433

Page 1 of 1

Unaccounted IPSec Errors

Posted: Tue Mar 27, 2018 12:36 am
by FusionEvo
It seems recently I have been getting a lot of IPSec errors. Currently, IPSec is only used for a PPP tunnel between two MikroTik sites.

Looking at the log it seems to be trying to make a connection to an IP address in Japan. The address is not one that I recognize or within my local vicinity. The errors seem to have happened for well over a day.
Not sure what may be causing this error but the first one I can think of is a possible attack attempt on the PPP.

Does anyone have anymore detail on the errors?

I have attached an excerpt of the log below with my own IP masked for security.

Code: Select all

03:32:52 ipsec,error 121.108.245.39 failed to get valid proposal.
03:32:52 ipsec,error 121.108.245.39 failed to pre-process ph1 packet (side: 1, status 1).
03:32:52 ipsec,error 121.108.245.39 phase1 negotiation failed.
03:32:52 ipsec,error no suitable proposal found.
03:32:52 ipsec,info respond new phase 1 (Identity Protection): xxx.x.xxx.xxx[500]<=>121.108.245.39[500]
03:32:55 ipsec,error 121.108.245.39 failed to get valid proposal.
03:32:55 ipsec,error 121.108.245.39 failed to pre-process ph1 packet (side: 1, status 1).
03:32:55 ipsec,error 121.108.245.39 phase1 negotiation failed.
03:32:55 ipsec,error no suitable proposal found.
03:32:55 ipsec,info respond new phase 1 (Identity Protection): xxx.x.xxx.xxx[500]<=>121.108.245.39[500]
03:32:58 ipsec,error 121.108.245.39 failed to get valid proposal.
03:32:58 ipsec,error 121.108.245.39 failed to pre-process ph1 packet (side: 1, status 1).
03:32:58 ipsec,error 121.108.245.39 phase1 negotiation failed.
03:32:58 ipsec,error no suitable proposal found.
03:32:58 ipsec,info respond new phase 1 (Identity Protection): xxx.x.xxx.xxx[500]<=>121.108.245.39[500]
03:33:01 ipsec,error 121.108.245.39 failed to get valid proposal.
03:33:01 ipsec,error 121.108.245.39 failed to pre-process ph1 packet (side: 1, status 1).
03:33:01 ipsec,error 121.108.245.39 phase1 negotiation failed.
03:33:01 ipsec,error no suitable proposal found.
03:33:01 ipsec,info respond new phase 1 (Identity Protection): xxx.x.xxx.xxx[500]<=>121.108.245.39[500]
03:33:04 ipsec,error 121.108.245.39 failed to get valid proposal.
03:33:04 ipsec,error 121.108.245.39 failed to pre-process ph1 packet (side: 1, status 1).
03:33:04 ipsec,error 121.108.245.39 phase1 negotiation failed.
03:33:04 ipsec,error no suitable proposal found.
03:33:04 ipsec,info respond new phase 1 (Identity Protection): xxx.x.xxx.xxx[500]<=>121.108.245.39[500]
03:33:07 ipsec,error 121.108.245.39 failed to get valid proposal.
03:33:07 ipsec,error 121.108.245.39 failed to pre-process ph1 packet (side: 1, status 1).
03:33:07 ipsec,error 121.108.245.39 phase1 negotiation failed.
03:33:07 ipsec,error no suitable proposal found.
03:33:07 ipsec,info respond new phase 1 (Identity Protection): xxx.x.xxx.xxx[500]<=>121.108.245.39[500]
03:33:10 ipsec,error 121.108.245.39 failed to get valid proposal.
03:33:10 ipsec,error 121.108.245.39 failed to pre-process ph1 packet (side: 1, status 1).
03:33:10 ipsec,error 121.108.245.39 phase1 negotiation failed.
03:33:10 ipsec,error no suitable proposal found.
03:33:10 ipsec,info respond new phase 1 (Identity Protection): xxx.x.xxx.xxx[500]<=>121.108.245.39[500]
03:33:13 ipsec,error 121.108.245.39 failed to get valid proposal.
03:33:13 ipsec,error 121.108.245.39 failed to pre-process ph1 packet (side: 1, status 1).
03:33:13 ipsec,error 121.108.245.39 phase1 negotiation failed.
03:33:13 ipsec,error no suitable proposal found.
03:33:13 ipsec,info respond new phase 1 (Identity Protection): xxx.x.xxx.xxx[500]<=>121.108.245.39[500]
03:33:16 ipsec,error 121.108.245.39 failed to get valid proposal.
03:33:16 ipsec,error 121.108.245.39 failed to pre-process ph1 packet (side: 1, status 1).
03:33:16 ipsec,error 121.108.245.39 phase1 negotiation failed.
03:33:16 ipsec,error no suitable proposal found.
03:33:16 ipsec,info respond new phase 1 (Identity Protection): xxx.x.xxx.xxx[500]<=>121.108.245.39[500]
03:33:19 ipsec,error 121.108.245.39 failed to get valid proposal.
03:33:19 ipsec,error 121.108.245.39 failed to pre-process ph1 packet (side: 1, status 1).
03:33:19 ipsec,error 121.108.245.39 phase1 negotiation failed.
03:33:19 ipsec,error no suitable proposal found.
03:33:19 ipsec,info respond new phase 1 (Identity Protection): xxx.x.xxx.xxx[500]<=>121.108.245.39[500]

Re: Unaccounted IPSec Errors

Posted: Tue Mar 27, 2018 10:22 pm
by sindy
Not sure what may be causing this error but the first one I can think of is a possible attack attempt on the PPP.
I would expect that to be a misconfiguration in Japan, or a targeted attack to your site (possibly without knowledge of the owner of that IP as the device may be infected), or a targeted attack to the Japanese site by means of your infected device.

To find out which one is true, put two rules to your firewall:
Code: Select all
/ip firewall filter add chain=input src-address=121.108.245.39/32 protocol=udp dst-port=500 action=drop
/ip firewall filter add chain=output dst-address=121.108.245.39/32 action=drop
and move them as high in the rule list in their respective chains as the ROS lets you.

After 3 minutes, clear the packet counters for these two rules and wait for another 3 minutes.
  • If the counter on the rule in chain output shows a non-zero value and the counter of the rule in chain input remains at zero, then it is your device attacking the Japanese one (not really likely).
  • If the counter on the rule in chain input shows a non-zero value and the counter of the rule in chain output remains at zero, it is a misconfiguration in Japan or a targeted attack on you.
  • If both counters stay at zero, it was a random attack which has found an open IPsec port at your device and tried to get in; once your device has stopped responding, it gave up and started trying the next candidate on the list.

Re: Unaccounted IPSec Errors

Posted: Wed Mar 28, 2018 9:19 am
by FusionEvo
Thanks sindy.

I added the two filter, but I modified the input filter to drop everything except for the src-ip where I expect it to be coming from.
Seems like only the input chain filter is increasing, pointing to an external connection attempt (around 131 packets dropped).

After getting the dropped connections to the log, I see that it is actually from a few different addresses (logs attached below). While I love to keep the existing firewall rule to drop everything except for the intended src-ip, the src-ip is actually dynamic so it changes. So that strategy wont work.

What would be the best practice in this case? Will not having the firewall rule leave me vulnerable to attacks? Or are there ways to modify the firewall rules so that it only accepts connection from the dynamic IP address?

Thanks
Code: Select all
10:14:59 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 197.26.60.54:500->xxx.x.xxx.xxx:500, len 364 
10:56:49 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 216.218.206.114:15465->xxx.x.xxx.xxx:500, len 92 
11:06:26 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 197.26.60.54:500->xxx.x.xxx.xxx:500, len 364 
12:11:36 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:11:44 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:11:45 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:11:46 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:11:49 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:11:52 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:11:55 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:11:58 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:12:01 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:12:04 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:12:07 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:12:10 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:12:13 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:12:16 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:12:19 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:12:22 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:12:25 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
12:12:28 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:15:25 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:15:33 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:15:34 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:15:35 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:15:38 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:15:41 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:15:44 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:15:47 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:15:50 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:15:53 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:15:56 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:15:59 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:16:02 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:16:05 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:16:08 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:16:11 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:16:14 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:16:17 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
13:44:38 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 61.81.64.17:500->xxx.x.xxx.xxx:500, len 364 
14:06:17 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:06:25 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:06:26 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:06:27 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:06:30 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:06:33 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:06:36 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:06:39 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:06:42 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:06:45 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:06:48 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:06:51 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:06:54 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:06:57 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:07:00 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:07:03 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:07:06 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:07:09 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:13 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:21 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:22 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:23 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:26 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:29 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:32 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:35 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:38 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:41 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:44 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:47 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:50 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:53 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:56 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:56:59 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:57:02 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
14:57:05 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:46:37 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:46:45 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:46:46 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:46:47 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:46:50 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:46:53 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:46:56 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:46:59 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:47:02 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:47:05 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:47:08 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:47:11 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:47:14 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:47:17 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:47:20 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:47:23 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:47:26 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408 
15:47:29 firewall,info firewall-drop input: in:ether1-gateway out:(unknown 0), src-mac 00:01:5c:7e:7a:46, proto UDP, 187.57.139.30:500->xxx.x.xxx.xxx:500, len 408

Re: Unaccounted IPSec Errors

Posted: Wed Mar 28, 2018 10:25 am
by sindy
What would be the best practice in this case? Will not having the firewall rule leave me vulnerable to attacks? Or are there ways to modify the firewall rules so that it only accepts connection from the dynamic IP address?
That depends on your use case and how much you trust the IPsec as such.

If you only need site2site VPNs, you can permit only packets from the known remote sites and drop the rest.

If you have a reason to accept connections from anywhere in the world, you may
  • trust the IPsec implementation and the complexity of your passwords and bear the discomfort of having the log polluted with unsuccessful attempts to break in
  • make your Mikrotik actually listen for incoming IPsec connections on another UDP port than 500 if you have a way to tell the clients to connect at that port
  • use the port knocking approach where a remote address must qualify for being allowed to access UDP port 500 by sending packets to several other ports of your own choice in correct order (which can be done manually using a web browser at the client)

Re: Unaccounted IPSec Errors

Posted: Fri Mar 30, 2018 10:45 am
by FusionEvo
I think I have found my solution. Since the client site has a DNS, I was able to use a script to update the client site IP to an address-list that would be allowed through the firewall.
Inherently, I dont trust my ability to configure IPSec to the point that there are no vulnerability. So I want a second backup to ensure that I am covered there.

So much to learn about network security!

Thanks a ton for your assistance.

Re: Unaccounted IPSec Errors

Posted: Fri Mar 30, 2018 11:44 am
by sindy
Since the client site has a DNS, I was able to use a script to update the client site IP to an address-list that would be allowed through the firewall.
No need for a script here, RouterOS can take care of it directly. Just use the domain name as the address in the address list. RouterOS will keep that item as a static one in the configuration and auto-generate a "dynamic" item per each IP address returned by a DNS A query to the name, with a lifetime of that item matching the validity of the DNS answer. Once the item expires, ROS sends a new DNS A query.
Inherently, I dont trust my ability to configure IPSec to the point that there are no vulnerability. So I want a second backup to ensure that I am covered there.
So much to learn about network security!
The first thing here is that even if you would know everything that can be known about the configuration, you cannot trust the code, no matter how loud statements regarding its bullet-proofness you may hear, unless you've inspected and perfectly understood every single line of it and found it to cover all behaviours of the remote side which may possibly (which is unfortunately much wider than "imaginably") happen.

So there is always a balance point between the complexity of breaking the security of a network (or a bank vault) and the determination to do that, which depends on the value of the protected assets for the attacker.

So one question - is the process of updating the DNS with a new IP address protected from forged updates?
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/