Sophos Central Firewall Manager (CFM) maintenance scheduled for Wednesday, July 8th starting at 06:30 GMT. Expected time to complete is 5 hours. Partners will be unable to access CFM during this period.

IKE based attack vector?: parsing IKE header from a.b.c.d[id] failed

Our setup uses site-to-site IPSEC tunnels. In the last few weeks we started noticing suspicious activity using invalid IKE messages. Seems that certain IPs are trying to figure something out using IKE header messages.

Here are some stats from the last couple of days:

$ grep 'Failed' Log_Viewer.csv | awk -F',' '{ print $5 }' | awk -F '[' '{ print $1 }' | sort | uniq -c

 211 parsing IKE header from 123[.]129.217.231
 435 parsing IKE header from 156[.]226.19.214
  77 parsing IKE header from 172[.]64.139.35
 580 parsing IKE header from 45[.]14.110.154
12451 parsing IKE header from 45[.]14.110.156
2319 parsing IKE header from 54[.]39.103.161
  59 parsing IKE header from 81[.]31.201.141

Anybody else seeing this kind of ingress traffic?

The question really is how to whitelist the IPs which are known to be trusted sources of IKE traffic for site-to-site VPN tunnels.