We'd love to hear about it! Click here to go to the product suggestion community
For some time I have seen "peer authentication failed" entries in IPsec logs. How can I block IP address that initiates these connections? - or maybe the whole country? The "block all incoming connections from xxx IP address" rule does not work in this case.
Second question: are you planning to introduce the so-called dynamic blacklist, to which would be automatically added IP addresses notoriously trying to set up an IPsec or SSL connection using incorrect credentials or keys? This would be highly desirable because of a recent passwords and keys leak.
from past posts on a similar subject I don't think you can because those activities reach the firewall before the block rules.
Hi MichalKawecki You can create a Local ACL firewall rule and select WAN as a source zone and ANY as a destination zone and drop the SSL VPN service and define specific IP - https://community.sophos.com/kb/en-us/132814#Local%20Service%20ACL%20Exception%20RuleIPsec connection would only be possible if matching phase-1 and phase-2 polices can match the parameter and remote device details are configured in the firewall, it will not allow or connect to any random request if it is there, you may check for Blackhole DNAT - https://community.sophos.com/kb/en-us/134380
In reply to Keyur:
Unfortunately, in our configuration we have an active road warrior connection, so none of the above solutions are an option. So, if there is no way to block such an IP address, the only thing left to do is wait for the script on the other side to finally figure out our preshared key and establish a connection...
In reply to MichalKawecki:
Sophos XG supports firewall rule based on Country -
Sophos XG Firewall: How to create a country-based firewall rule
In reply to Captain_A:
As I wrote prevoiusly, the "block all incoming connections from xxx IP address" rule does not work in case of IPSec connections.
Then I don't think there is a way to entirely block non-legitimate connection attempts.
However, you can configure the local ID and remote ID for a kind of extra layer of authentication for VPN connection -
It's definitely an idea. However, the best solution seems to be adding the ability to pre-filter IPSec traffic in the router's administrative access management panel. I could then apply a rule that allows access to IPSec only from a single selected country.
I will add that the security of the road-warrior IPSec connection is very questionable when we also use Sophos Connect. The reason lies in the easy access to the file with the Sophos Connect configuration, in which the shared key is saved in plain text - because this key is the same as for the mentioned IPSec...
Thank you for your answers and ideas.