Inbound firewall rule doesn't refuse connection

It appears that we occasionally are targeted by internet-wide scanning of hosts that listen for inbound IPSec VPN connection requests. On the IPsec VPN Event Log, it is clearly shown:

|Feb 19 18:11:15|IPsec: Refused connection request from|
|Feb 19 17:59:02|IPsec: Refused connection request from|
|Feb 19 17:17:56|IPsec: Refused connection request from|
|Feb 19 11:12:15|IPsec: Refused connection request from|
|Feb 18 19:21:13|IPsec: Refused connection request from|
|Feb 18 18:52:24|IPsec: Refused connection request from|

So in response to this, I have made an inbound firewall rule from the netblock of the most common offenders
Protocol: Any
WAN: Any
Destination: Any
Action: Deny

After saving and applying, log entries are still generated for addresses inside the netblock which should be denied by the firewall rule.

Please confirm if VPN connection listening takes place before or after firewall rules.

1 Like

The firewall rule is designed to block traffic type below only.

  • LAN to LAN
  • LAN to WAN
  • WAN to LAN

You do not have to worry about it because those IP addresses do not know your IPSEC pre-shared key. They will not be able to form the IPSEC VPN.

1 Like

The firewall should be able to block these incoming connection attempts, should it not? I am getting the same thing from the same IPs as above and the “answer” is not to worry?