Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN Probe?

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 395 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      terryzb
      last edited by

      I noticed something in the IPsec log today. I'm definitely no VPN expert but the connection string and response looked different from other attempts I've seen. A research pen test from UCSD? "looking for peer configs matching 72.xxx.xxx.xxx[%any]...169.228.66.212[research-scan@sysnet.ucsd.edu]"

      The connection timed out after 30 seconds but I don't know enough about the connection sequence to tell how far they got. Is this anything to be concerned about?

      May 12 18:51:11	charon	64676	13[NET] <232> received packet: from 169.228.66.212[56398] to 72.xxx.xxx.xxx[500] (796 bytes)
May 12 18:51:11	charon	64676	13[ENC] <232> parsed IKE_SA_INIT request 0 [ SA KE No ]
May 12 18:51:11	charon	64676	13[CFG] <232> looking for an IKEv2 config for 72.xxx.xxx.xxx...169.228.66.212
May 12 18:51:11	charon	64676	13[CFG] <232> candidate: 72.xxx.xxx.xxx...0.0.0.0/0, ::/0, prio 1052
May 12 18:51:11	charon	64676	13[CFG] <232> found matching ike config: 72.xxx.xxx.xxx...0.0.0.0/0, ::/0 with prio 1052
May 12 18:51:11	charon	64676	13[IKE] <232> local endpoint changed from 0.0.0.0[500] to 72.xxx.xxx.xxx[500]
May 12 18:51:11	charon	64676	13[IKE] <232> remote endpoint changed from 0.0.0.0 to 169.228.66.212[56398]
May 12 18:51:11	charon	64676	13[IKE] <232> 169.228.66.212 is initiating an IKE_SA
May 12 18:51:11	charon	64676	13[IKE] <232> IKE_SA (unnamed)[232] state change: CREATED => CONNECTING
May 12 18:51:11	charon	64676	13[CFG] <232> selecting proposal:
May 12 18:51:11	charon	64676	13[CFG] <232> no acceptable ENCRYPTION_ALGORITHM found
May 12 18:51:11	charon	64676	13[CFG] <232> selecting proposal:
May 12 18:51:11	charon	64676	13[CFG] <232> no acceptable ENCRYPTION_ALGORITHM found
May 12 18:51:11	charon	64676	13[CFG] <232> selecting proposal:
May 12 18:51:11	charon	64676	13[CFG] <232> proposal matches
May 12 18:51:11	charon	64676	13[CFG] <232> received proposals: IKE:AES_CBC_256/AES_CBC_192/AES_CBC_128/3DES_CBC/HMAC_MD5_128/HMAC_SHA1_96/HMAC_SHA1_160/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/ECP_384/ECP_521/MODP_768/MODP_1536/MODP_3072/MODP_4096/MODP_1024/MODP_2048/ECP_256
May 12 18:51:11	charon	64676	13[CFG] <232> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
May 12 18:51:11	charon	64676	13[CFG] <232> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
May 12 18:51:11	charon	64676	13[IKE] <232> sending cert request for "CN=mobile-ipsec-ca"
May 12 18:51:11	charon	64676	13[ENC] <232> generating IKE_SA_INIT response 0 [ SA KE No CERTREQ N(CHDLESS_SUP) N(MULT_AUTH) ]
May 12 18:51:11	charon	64676	13[NET] <232> sending packet: from 72.xxx.xxx.xxx[500] to 169.228.66.212[56398] (673 bytes)
May 12 18:51:11	charon	64676	13[NET] <232> received packet: from 169.228.66.212[56398] to 72.xxx.xxx.xxx[500] (432 bytes)
May 12 18:51:11	charon	64676	13[ENC] <232> parsed IKE_AUTH request 1 [ IDi CERTREQ SA TSi TSr ]
May 12 18:51:11	charon	64676	13[IKE] <232> received cert request for unknown ca with keyid 8a:93:82:f4:c8:04:08:34:5e:5b:c2:f8:d7:55:d3:c2:e7:62:48:cf
May 12 18:51:11	charon	64676	13[IKE] <232> received 1 cert requests for an unknown ca
May 12 18:51:11	charon	64676	13[CFG] <232> looking for peer configs matching 72.xxx.xxx.xxx[%any]...169.228.66.212[research-scan@sysnet.ucsd.edu]
May 12 18:51:11	charon	64676	13[CFG] <232> candidate "con-mobile", match: 1/1/1052 (me/other/ike)
May 12 18:51:11	charon	64676	13[CFG] <con-mobile|232> selected peer config 'con-mobile'
May 12 18:51:11	charon	64676	13[IKE] <con-mobile|232> initiating EAP_IDENTITY method (id 0x00)
May 12 18:51:11	charon	64676	13[IKE] <con-mobile|232> authentication of '72.xxx.xxx.xxx' (myself) with RSA signature successful
May 12 18:51:11	charon	64676	13[IKE] <con-mobile|232> sending end entity cert "CN=72.xxx.xxx.xxx"
May 12 18:51:11	charon	64676	13[ENC] <con-mobile|232> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
May 12 18:51:11	charon	64676	13[NET] <con-mobile|232> sending packet: from 72.xxx.xxx.xxx[500] to 169.228.66.212[56398] (1328 bytes)
May 12 18:51:41	charon	64676	13[JOB] <con-mobile|232> deleting half open IKE_SA with 169.228.66.212 after timeout
May 12 18:51:41	charon	64676	13[IKE] <con-mobile|232> IKE_SA con-mobile[232] state change: CONNECTING => DESTROYING
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.