IPSEC - Odd Traffic

Product Discussion Peplink Balance
1

Hi All,

I’m new to the forums so hopefully I am asking in the right place.

I have a IPSEC tunnel setup between our office and colocated environment. Everything seems to be working as intended. However, in the VPN event log I am seeing some unsettling entries and wondering exactly what it means.

[TABLE=“class: stat_table, width: 744”]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 25 07:14:37
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 25 07:14:33
IPsec: Refused Main Mode connection request from 158.130.6.191
[/TR]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 25 07:08:47
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 25 07:08:45
IPsec: Refused Main Mode connection request from 158.130.6.191
[/TR]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 25 03:23:36
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 25 03:22:49
IPsec: Refused Main Mode connection request from 158.130.6.191
[/TR]
[TR=“class: zb2”]
Oct 25 03:17:46
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 25 03:17:08
IPsec: Refused Main Mode connection request from 158.130.6.191
[/TR]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 24 23:33:41
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 24 23:33:23
IPsec: Refused Main Mode connection request from 158.130.6.191
[/TR]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 24 23:27:51
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 24 23:27:39
IPsec: Refused Main Mode connection request from 158.130.6.191
[/TR]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 24 21:11:17
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 24 21:10:38
IPsec: Refused Main Mode connection request from 216.218.206.122
[/TR]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 24 20:11:46
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 24 20:11:30
IPsec: Refused Main Mode connection request from 216.218.206.118
[/TR]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 24 19:22:45
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 24 19:22:39
IPsec: Hosting/2x5 - Initiating Main Mode connection…
[/TR]
[/TABLE]

The IP addresses in this log are not part of the VPN. As a result of these messages I changed the PSK. They are still happening so now I am a bit confused as to what exactly is happening.

Does this response mean the person has authenticated and is being refused because the IP is wrong?

IPSEC setup - Peplink Balance 305 <–> Juniper Firewall

2

Hi LeafVee,

The messages in the log show connection attempts from those ip addresses.
If you see this message, and it is from an unknown ip address, you can create a firewall rule to block this ip address.

It seems that this is part of a research study from the University of Penssylvania
You can find more information in this article : Scanning by University to test/break VPN security PSK's - hMailServer forum

3

Hi Erik,

If I have a default rule of deny on all inbound traffic, wouldn’t that already be blocking it?

4

FYI That IP is from a US based Research Study. I’ve been seeing it all over recently. More info here: http://research-scan.cis.upenn.edu/

5

I just performed a scan using nmap with arguments -p 1-65535 -T4 -A -v -Pn hostaddress

The only result was port 4500 udp being closed. This partially explains why this is happening. Is there a way to stealth/filter that port while using an ipsec vpn?

6

Believe you are referring to UDP 4500 being opened. UDP 4500 is needed for IPSec VPN once NAT-Traversal was enabled. Hence, you managed to scan this port.

You may perform steps below if you still preferred to close this port.

  1. Disable NAT-Traversal (Network > IPSec VPN > NAT-Traversal).
  • Ensure NAT-Traversal is not needed on Balance and Juniper side.
  • Ensure L2TP/IPSec s not needed on Balance router.
  1. Ensure PepVPN/SpeedFusion is not needed on Balance router.