This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IKE based attack vector?: parsing IKE header from a.b.c.d[id] failed

Our setup uses site-to-site IPSEC tunnels. In the last few weeks we started noticing suspicious activity using invalid IKE messages. Seems that certain IPs are trying to figure something out using IKE header messages.

Here are some stats from the last couple of days:

$ grep 'Failed' Log_Viewer.csv | awk -F',' '{ print $5 }' | awk -F '[' '{ print $1 }' | sort | uniq -c

211 parsing IKE header from 123[.]129.217.231
435 parsing IKE header from 156[.]226.19.214
77 parsing IKE header from 172[.]64.139.35
580 parsing IKE header from 45[.]14.110.154
12451 parsing IKE header from 45[.]14.110.156
2319 parsing IKE header from 54[.]39.103.161
59 parsing IKE header from 81[.]31.201.141

Anybody else seeing this kind of ingress traffic?

The question really is how to whitelist the IPs which are known to be trusted sources of IKE traffic for site-to-site VPN tunnels.

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 5 years ago

Just wondering: Do you use Sophos Connect / Another IPsec or L2TP Client?
Cancel
Vote Up 0 Vote Down

Cancel
0 Alexander Sennhauser over 5 years ago in reply to LuCar Toni

No other IPSEC based client is in use. Only the SSL VPN based on OpenVPN. But that seems unrelated here.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to Alexander Sennhauser

Just to be sure, could you quickly recap the same command on your Shell?

https://community.sophos.com/kb/en-us/123185

Take a look at strongswan.log
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LuCar Toni over 5 years ago in reply to Alexander Sennhauser

Just to be sure, could you quickly recap the same command on your Shell?

https://community.sophos.com/kb/en-us/123185

Take a look at strongswan.log
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Alexander Sennhauser over 5 years ago in reply to LuCar Toni

The following entries are present in the logs:

2020-05-31 16:08:56 03[ENC] not enough input to parse rule 2 U_INT_8
2020-05-31 16:08:56 03[ENC] header could not be parsed
2020-05-31 16:08:56 03[NET] received invalid IKE header from 123[.]129.217.231 - ignored
2020-05-31 16:08:56 03[DMN] [GARNER-LOGGING] (child_alert) ALERT: parsing IKE header from 123[.]129.217.231[27873] failed
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to Alexander Sennhauser

I am not quite sure, if those attacks are real attacks or simply port scan mechanism.

As you have Port 500 open, such port scanner could actually ping port 500 via UDP and XG (Strongswan) could consider this as a "invalid IKE header".

Check the Databases of Scanners as of today, if they match with your IPs.
Cancel
Vote Up 0 Vote Down

Cancel