Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
François
New Contributor III

black list public ip IKE protocol

Hi,

 

I use FG600D (Fortios V5.4.5) with 30 VPN (IKE) but since few weeks i have trouble with some public ip like 216.218.206.126. Each night i have a lot of attempts to establish VPN IKE. This public ip is not public ip of my company.

For example :

Message meets Alert condition

date=2018-06-03 time=04:47:33 devname=FW-BLC-1 devid=FGT6HDXXXXXXX logid=0101037128 type=event subtype=vpn level=error vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=[style="background-color: #ffff00;"]216.218.206.102[/style] locip=xxx.xxx.xxx.xxx remport=24916 locport=500 outintf="IP-Pub-Complete" cookies="3e35c70729dfedef/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR

 

 

I try to use local in policy but i don't understand how. In my all Fortigate i saw local in policy in GUI but in CLI i have nothing. 

Please could you tell me if it's the good way to block unwanted public ip ? and if it's the good way could you explained me how can i do ?

 

In Example i found, all people explain to choose wan interface for source but i don't know which destination interface i must select.

 

Thank you,

François

 

14 REPLIES 14
Markus
Valued Contributor

Hi François The deny is a default setting. You can check it, if you use "get", rather than "show" (local-in-policy) # edit 2 (2) # get policyid            : 2 ha-mgmt-intf-only   : disable intf                : wan1 srcaddr             : "all" dstaddr             : "all" action              : deny service             : "IKE" "GRE" "SIP" schedule            : always status              : enable

 

Best,

Markus


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
François
New Contributor III

Hi Markus,

 

Good, thank you for this precision i did not know.

 

François

 

Toshi_Esumi
Esteemed Contributor III

When you create an interface-mode IPSec vpn, the interface is automatically created with the same name of phase1-interface name. Then you should configure the tunnel interface IP w/ /32 mask as well as a remote-ip. That would be used for all routing. All ipsec attempts to the same phy interface ip are examined with IPsec tunnels configured on the interface.

If you don't spcify IKE as service and want to block everything from the source, you need to use the phy interface. But if you want to block any irrelevant IPSec attempts by specifying IKE, you might need to use the tunnel interface. I'm not sure though. Then you should leave the destination blank. 

If you block one side for IKE (that's all you can do for any attacks), the IKE negotiation can't be completed and fail. The source might keep trying but that's not what you can control or avoid unless your upstream router blacklists the source IP.

Bruno_Pereira

you noticed a scan coming from this server across your network and/or poking at a service that you have running. The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have services running that should not be exposed because they are trivial to exploit or abuse. The goal of this project is to identify hosts that have these types of services exposed and report them back to the network owners for remediation. Further details on this scanning project can be found on our blog at: http://blog.shadowserver....the-internet-improves/ Statistics on these scans can be found at: http://blog.shadowserver....nnings-and-statistics/ If you would like to sign up for reports on any data that we have collected on your network, you can request them from here: https://www.shadowserver....etReportsOnYourNetwork All of the probes that are used in our tests are benign and do not ( and will never ) contain exploit code. Scans with these types of tools are off-limits for us. All the data that we collect is visible to anyone who connects to a particular host with on the proper port using the proper commands. If you have any more questions please feel free to send us an email at:

ericli_FTNT
Staff
Staff

François wrote:

Hi,

 

I use FG600D (Fortios V5.4.5) with 30 VPN (IKE) but since few weeks i have trouble with some public ip like 216.218.206.126. Each night i have a lot of attempts to establish VPN IKE. This public ip is not public ip of my company.

For example :

Message meets Alert condition

date=2018-06-03 time=04:47:33 devname=FW-BLC-1 devid=FGT6HDXXXXXXX logid=0101037128 type=event subtype=vpn level=error vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=[style="background-color: #ffff00;"]216.218.206.102[/style] locip=xxx.xxx.xxx.xxx remport=24916 locport=500 outintf="IP-Pub-Complete" cookies="3e35c70729dfedef/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR

 

 

I try to use local in policy but i don't understand how. In my all Fortigate i saw local in policy in GUI but in CLI i have nothing. 

Please could you tell me if it's the good way to block unwanted public ip ? and if it's the good way could you explained me how can i do ?

 

In Example i found, all people explain to choose wan interface for source but i don't know which destination interface i must select.

 

Thank you,

François

 

I would suggest you configure an ACL on that interface to drop any packets from unwanted source and terminate on your device.

Top Kudoed Authors