IPSEC - Odd Traffic

Hi All,

I’m new to the forums so hopefully I am asking in the right place.

I have a IPSEC tunnel setup between our office and colocated environment. Everything seems to be working as intended. However, in the VPN event log I am seeing some unsettling entries and wondering exactly what it means.

[TABLE=“class: stat_table, width: 744”]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 25 07:14:37
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 25 07:14:33
IPsec: Refused Main Mode connection request from 158.130.6.191
[/TR]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 25 07:08:47
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 25 07:08:45
IPsec: Refused Main Mode connection request from 158.130.6.191
[/TR]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 25 03:23:36
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 25 03:22:49
IPsec: Refused Main Mode connection request from 158.130.6.191
[/TR]
[TR=“class: zb2”]
Oct 25 03:17:46
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 25 03:17:08
IPsec: Refused Main Mode connection request from 158.130.6.191
[/TR]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 24 23:33:41
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 24 23:33:23
IPsec: Refused Main Mode connection request from 158.130.6.191
[/TR]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 24 23:27:51
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 24 23:27:39
IPsec: Refused Main Mode connection request from 158.130.6.191
[/TR]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 24 21:11:17
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 24 21:10:38
IPsec: Refused Main Mode connection request from 216.218.206.122
[/TR]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 24 20:11:46
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 24 20:11:30
IPsec: Refused Main Mode connection request from 216.218.206.118
[/TR]
[TR=“class: zb2, bgcolor: #E6E6E6”]
Oct 24 19:22:45
IPsec: Hosting/1x5 - No acceptable response, please verify the settings.
[/TR]
[TR=“class: zb1”]
Oct 24 19:22:39
IPsec: Hosting/2x5 - Initiating Main Mode connection…
[/TR]
[/TABLE]

The IP addresses in this log are not part of the VPN. As a result of these messages I changed the PSK. They are still happening so now I am a bit confused as to what exactly is happening.

Does this response mean the person has authenticated and is being refused because the IP is wrong?

IPSEC setup - Peplink Balance 305 <–> Juniper Firewall

Hi LeafVee,

The messages in the log show connection attempts from those ip addresses.
If you see this message, and it is from an unknown ip address, you can create a firewall rule to block this ip address.

It seems that this is part of a research study from the University of Penssylvania
You can find more information in this article : https://www.hmailserver.com/forum/viewtopic.php?t=29224

Hi Erik,

If I have a default rule of deny on all inbound traffic, wouldn’t that already be blocking it?

FYI That IP is from a US based Research Study. I’ve been seeing it all over recently. More info here: http://research-scan.cis.upenn.edu/

I just performed a scan using nmap with arguments -p 1-65535 -T4 -A -v -Pn hostaddress

The only result was port 4500 udp being closed. This partially explains why this is happening. Is there a way to stealth/filter that port while using an ipsec vpn?

Believe you are referring to UDP 4500 being opened. UDP 4500 is needed for IPSec VPN once NAT-Traversal was enabled. Hence, you managed to scan this port.

You may perform steps below if you still preferred to close this port.

  1. Disable NAT-Traversal (Network > IPSec VPN > NAT-Traversal).
  • Ensure NAT-Traversal is not needed on Balance and Juniper side.
  • Ensure L2TP/IPSec s not needed on Balance router.
  1. Ensure PepVPN/SpeedFusion is not needed on Balance router.