This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec connection attempt

Hi to all,

I have a lot of connections attempts for the IPsec service:

Always from the same two or three IPs.

Is there any way to block all for IPsec except the remote IP of the tunnel?

Thanks in advance.

Best regards.



This thread was automatically locked due to age.
Parents
  • Hi BAD,

    Thank you for reaching out to Sophos Community.

    Have you tried to use any how-to videos, documentation, Sophos Assistant, or KBA to try to check the issue?

    You may set up 1 FW rule to allow traffic that specifies the allowed users  and then create another rule below the rule position to drop the rest for accessing  IPsec Tunnel

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Sorry Erick, but I dont understand you.

    I dont have users... this is a S2S IPsec tunnel.

    I have at the top this two rules to permit traffic between the remote net and the local net:

    Thanks.

    Best regards.

  • Hello there,

    To avoid seeing this, you could create a DNAT rule to send this ip to a black hole (A fake Internal IP).

    In the Firewall rule change the Source for the IPs you want to drop and select IKE services, as shown in the image above.

    Then, for the NAT Rule, do the same for the Original Source; under DNAT, add a Fake IP.

    After this, connections from these IPs shouldn't appear in the Log Viewer or in the charon.log.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • Hello there,

    To avoid seeing this, you could create a DNAT rule to send this ip to a black hole (A fake Internal IP).

    In the Firewall rule change the Source for the IPs you want to drop and select IKE services, as shown in the image above.

    Then, for the NAT Rule, do the same for the Original Source; under DNAT, add a Fake IP.

    After this, connections from these IPs shouldn't appear in the Log Viewer or in the charon.log.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children