This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to block access to IPsec for some IP address or country

Hello,

For some time I have seen "peer authentication failed" entries in IPsec logs. How can I block IP address that initiates these connections? - or maybe the whole country? The "block all incoming connections from xxx IP address" rule does not work in this case.

Second question: are you planning to introduce the so-called dynamic blacklist, to which would be automatically added IP addresses notoriously trying to set up an IPsec or SSL connection using incorrect credentials or keys? This would be highly desirable because of a recent passwords and keys leak.

This thread was automatically locked due to age.

Parents

0 Keyur over 5 years ago

Hi MichalKawecki

You can create a Local ACL firewall rule and select WAN as a source zone and ANY as a destination zone and drop the SSL VPN service and define specific IP - https://community.sophos.com/kb/en-us/132814#Local%20Service%20ACL%20Exception%20Rule

IPsec connection would only be possible if matching phase-1 and phase-2 polices can match the parameter and remote device details are configured in the firewall, it will not allow or connect to any random request if it is there, you may check for Blackhole DNAT - https://community.sophos.com/kb/en-us/134380
Cancel
Vote Up 0 Vote Down

Cancel
0 MichalKawecki over 5 years ago in reply to Keyur

Unfortunately, in our configuration we have an active road warrior connection, so none of the above solutions are an option. So, if there is no way to block such an IP address, the only thing left to do is wait for the script on the other side to finally figure out our preshared key and establish a connection...
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 MichalKawecki over 5 years ago in reply to Keyur

Unfortunately, in our configuration we have an active road warrior connection, so none of the above solutions are an option. So, if there is no way to block such an IP address, the only thing left to do is wait for the script on the other side to finally figure out our preshared key and establish a connection...
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 FormerMember over 5 years ago in reply to MichalKawecki

Hi,

Sophos XG supports firewall rule based on Country -

Sophos XG Firewall: How to create a country-based firewall rule

example -
Cancel
Vote Up 0 Vote Down

Cancel
0 MichalKawecki over 5 years ago in reply to FormerMember

As I wrote prevoiusly, the "block all incoming connections from xxx IP address" rule does not work in case of IPSec connections.
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 5 years ago in reply to MichalKawecki

Hi MichalKawecki,

Then I don't think there is a way to entirely block non-legitimate connection attempts.

However, you can configure the local ID and remote ID for a kind of extra layer of authentication for VPN connection -
Cancel
Vote Up 0 Vote Down

Cancel
0 MichalKawecki over 5 years ago in reply to FormerMember

It's definitely an idea. However, the best solution seems to be adding the ability to pre-filter IPSec traffic in the router's administrative access management panel. I could then apply a rule that allows access to IPSec only from a single selected country.

I will add that the security of the road-warrior IPSec connection is very questionable when we also use Sophos Connect. The reason lies in the easy access to the file with the Sophos Connect configuration, in which the shared key is saved in plain text - because this key is the same as for the mentioned IPSec...

Thank you for your answers and ideas.

Greetings.
Cancel
Vote Up 0 Vote Down

Cancel