My System log (Sophos XG310, running 18.5.2 MR-2-Build380) is filling up with messages like these:
2022-01-21 15:03:41 IPSec Failed parsing IKE header from 18.104.22.168 failed
2022-01-21 15:03:31 IPSec Failed parsing IKE header from 22.214.171.124 failed
They're coming in every 5 to 10 seconds. The IP address (126.96.36.199) is not one of mine. I have no idea who it is.
Here's what DOESN'T work. I have an active firewall rule at the very top of the list with a Drop action for Source zone: WAN, Source networks and devices: 188.8.131.52, Destination zone: Any, Destination networks: Any, Services: Any. Since activating the rule, there are no hits on it recorded in the Firewall log, but entries in the System log described above continue.
What am I missing?
You need a blackhole NAT rule for this kind of traffic support.sophos.com/.../KB-000038943
OK, I tried this. It may be working -- I'm not positive because the attack stopped a couple of hours before I added the blackhole NAT. I have no doubt that they'll be back, however.
There's still a problem. We have two branch offices with XG firewalls that have site-to-site VPN connections back to the head office. I didn't want to blackhole those, so I added their IP addresses in the Exclusion section of the blackhole firewall rule. With the rule active, the site-to-site VPN connections remain active and functional. However, if either of the VPN connections drops for some reason (we have a somewhat flaky network connection), the branch offices can no longer initiate a re-connection. However, if I initiate the reconnection at the head office, the branch offices will reconnect.