Skip to main content
Matteo
Matteo
Visitor III
July 4, 2016
Question

Daily IPsec phase 1 error... attacks?

  • July 4, 2016
  • 1 reply
  • 12888 views

Hi,

I'm new to the FortiOS system and I have just configured a FortiGate cluster by activating a SSL VPN (not an IPSec tunnel). However, each day I am seeing error logs reporting Progress IPsec phase 1 errors like this one:

 

date=2016-07-03 time=07:24:41 devname=XXX devid=YYY logid=0101037128 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=REMOTEIP locip=COMPANYID remport=42987 locport=500 outintf="wan1" cookies="0011223344556677/

0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR

date=2016-07-03 time=07:24:41 devname=XXX devid=YYY logid=0101037124 type=event subtype=vpn level=error vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action=negotiate remip=REMOTEIP locip=COMPANYID remport=42987 locport=500 outintf="wan1" cookies="0011223344556677/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=negotiate_error reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE"

 

The IP addresses are always associated to addresses from Hong Kong or California, and each day they try to connect to different company IP addresses.

Do I have to be worried about these logs? Can I protect the system by enabling/changing something? I don't think so these are real connection attempts and they seems to be scanning attacks.

 

Many thanks :)

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 4, 2016

    Thank you for reminding me with this so that I found I left a test IPSec configure on another FG into my home FG, which is getting the same log all the time. Anyway, you should be safe as long as no IPSec config is allowing those attempts. If it's from the same IP and concerning you too much you might try setting a "blackhole" to the destination with a static route. It might generate a different kind of log though.

    Mark_Holtkamp
    Mark_Holtkamp
    New Member
    July 4, 2016

    Same here, I get about 2 to 3 login attempts on each branch FGT in our network (4 total). Usually the IP resolves to shodan.io or someone using that service. You can change the SSL VPN port to something more obscure to reduce the amount of attempted logins, but as long as you have a good password policy in place and the amount of attempts doesn't go sky high don't worry.

    Matteo
    MatteoAuthor
    Visitor III
    July 6, 2016

    The connetion attempts come from different IPs, so I am not able to put them in a black list. However I don't have any IPsec configuration in place, so I can be quiet.

     

    Thanks for your answers...

    Terms & ConditionsAccessibility statement