DNAT and IP-Filter do not block traffic

OK, Chris, let's look at the Edits of the IPsec Connection and Remote Gateway with 'Advanced' open.

I've never seen Alice in an IPsec log - what is the other endpoint?

Cheers - Bob

Thanks BAlfson

but I don´t think that these packets have anything to do with our site-to-site connections (although there are running some fine on the same gateway) thats why the answer to your question is not so relevant I guess. The site-to-site sessions do look very clear.

These requests are going to the endpoint for our roadwarriors, either plain IPSEC or L2TP.

Thats why I cannot block them all beacuse I could never know where my roadwarriors do come from.
Now I killed again 5 of these connections - and for 10min everything is quiet...as it was in former times most of the days...

Cheers, Chris

And one update:

I can really confirm that I do DNAT the right way because when I add an IP to DNAT-list to 240.0.0.1 and kill immediately via conntrack the last lines look like this:

udp      17 27 src=5.101.38.130 dst=x.x.x.x sport=19545 dport=500 packets=1 bytes=45 [UNREPLIED] src=240.0.0.1 dst=5.101.38.130 sport=500 dport=19545 packets=0 bytes=0 mark=1572864 delta-time=2 use=1

conntrack v1.4.2 (conntrack-tools): 71 flow entries have been deleted.

What does Sophos Support say about this, Chris?

Do you have the same problem if you use X509 certs instead of preshared keys?

Instead of IPsec or IPsec/L2TP, I've been configuring SSL VPN Remote Access on UDP 443 or 1443.  The OpenVPN clients work well where the Sophos Client can't work.

In any case, this isn't a fun or interesting battle for you.

Cheers - Bob

I have the same question. Need to block a full /24 brazil network that is spamming on our SG IPSec interface. DNAT and FW rules do not apply to this traffic.

UTM should automatically block hosts that have more than a definded No of bad requests per minute.

Hi LHerzog

You have to create a DNAT roule AND Kill the Connections at the Firewall-Console (SSH) with e.g. "conntrack -D -s 45.5.38.176".
Also, you need to do this for each IP Address in that /24 Network, i'm normaly using Excel to generate an IP List from 45.5.38.1 - 45.5.38.255 and then paste the Lines to CLI.

Regards,

Michael

Mi Michael,

but I will only kill existing connections with conntrack, right? So no way to keep them out permanently?

You will kill only existing Connections, but the DNAT rule will prevent new Connections.

Hi LHerzog,

If you cannot switch on country blocking you have to create a DNAT-rule for IPs / IP-Range that do penetrate your gateway.

After that you can kill them with conntrack and they are blocked.

But meanwhile we have a second costumer with an UTM being flooded with probes on port 500 and we are still targeted, too.

As BAlfson said: "this isn't a fun or interesting battle".

But during that hafnium armageddon I have no time to change auth methods for all users in their home offices...

Cheers - Chris

and what would be the solution Sophos suggests in case you are really - i mean really - flooded with many of those packets?

Why is SG even answering to bad requests with IPSec notification replies?