Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Matteo
New Contributor

Daily IPsec phase 1 error... attacks?

Hi,

I'm new to the FortiOS system and I have just configured a FortiGate cluster by activating a SSL VPN (not an IPSec tunnel). However, each day I am seeing error logs reporting Progress IPsec phase 1 errors like this one:

 

date=2016-07-03 time=07:24:41 devname=XXX devid=YYY logid=0101037128 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=REMOTEIP locip=COMPANYID remport=42987 locport=500 outintf="wan1" cookies="0011223344556677/

0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR

date=2016-07-03 time=07:24:41 devname=XXX devid=YYY logid=0101037124 type=event subtype=vpn level=error vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action=negotiate remip=REMOTEIP locip=COMPANYID remport=42987 locport=500 outintf="wan1" cookies="0011223344556677/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=negotiate_error reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE"

 

The IP addresses are always associated to addresses from Hong Kong or California, and each day they try to connect to different company IP addresses.

Do I have to be worried about these logs? Can I protect the system by enabling/changing something? I don't think so these are real connection attempts and they seems to be scanning attacks.

 

Many thanks :)

3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

Thank you for reminding me with this so that I found I left a test IPSec configure on another FG into my home FG, which is getting the same log all the time. Anyway, you should be safe as long as no IPSec config is allowing those attempts. If it's from the same IP and concerning you too much you might try setting a "blackhole" to the destination with a static route. It might generate a different kind of log though.

Mark_Holtkamp

Same here, I get about 2 to 3 login attempts on each branch FGT in our network (4 total). Usually the IP resolves to shodan.io or someone using that service. You can change the SSL VPN port to something more obscure to reduce the amount of attempted logins, but as long as you have a good password policy in place and the amount of attempts doesn't go sky high don't worry.

Matteo

The connetion attempts come from different IPs, so I am not able to put them in a black list. However I don't have any IPsec configuration in place, so I can be quiet.

 

Thanks for your answers...

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors