VPN Probe?
-
I noticed something in the IPsec log today. I'm definitely no VPN expert but the connection string and response looked different from other attempts I've seen. A research pen test from UCSD? "looking for peer configs matching 72.xxx.xxx.xxx[%any]...169.228.66.212[research-scan@sysnet.ucsd.edu]"
The connection timed out after 30 seconds but I don't know enough about the connection sequence to tell how far they got. Is this anything to be concerned about?
May 12 18:51:11 charon 64676 13[NET] <232> received packet: from 169.228.66.212[56398] to 72.xxx.xxx.xxx[500] (796 bytes) May 12 18:51:11 charon 64676 13[ENC] <232> parsed IKE_SA_INIT request 0 [ SA KE No ] May 12 18:51:11 charon 64676 13[CFG] <232> looking for an IKEv2 config for 72.xxx.xxx.xxx...169.228.66.212 May 12 18:51:11 charon 64676 13[CFG] <232> candidate: 72.xxx.xxx.xxx...0.0.0.0/0, ::/0, prio 1052 May 12 18:51:11 charon 64676 13[CFG] <232> found matching ike config: 72.xxx.xxx.xxx...0.0.0.0/0, ::/0 with prio 1052 May 12 18:51:11 charon 64676 13[IKE] <232> local endpoint changed from 0.0.0.0[500] to 72.xxx.xxx.xxx[500] May 12 18:51:11 charon 64676 13[IKE] <232> remote endpoint changed from 0.0.0.0 to 169.228.66.212[56398] May 12 18:51:11 charon 64676 13[IKE] <232> 169.228.66.212 is initiating an IKE_SA May 12 18:51:11 charon 64676 13[IKE] <232> IKE_SA (unnamed)[232] state change: CREATED => CONNECTING May 12 18:51:11 charon 64676 13[CFG] <232> selecting proposal: May 12 18:51:11 charon 64676 13[CFG] <232> no acceptable ENCRYPTION_ALGORITHM found May 12 18:51:11 charon 64676 13[CFG] <232> selecting proposal: May 12 18:51:11 charon 64676 13[CFG] <232> no acceptable ENCRYPTION_ALGORITHM found May 12 18:51:11 charon 64676 13[CFG] <232> selecting proposal: May 12 18:51:11 charon 64676 13[CFG] <232> proposal matches May 12 18:51:11 charon 64676 13[CFG] <232> received proposals: IKE:AES_CBC_256/AES_CBC_192/AES_CBC_128/3DES_CBC/HMAC_MD5_128/HMAC_SHA1_96/HMAC_SHA1_160/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/ECP_384/ECP_521/MODP_768/MODP_1536/MODP_3072/MODP_4096/MODP_1024/MODP_2048/ECP_256 May 12 18:51:11 charon 64676 13[CFG] <232> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 May 12 18:51:11 charon 64676 13[CFG] <232> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096 May 12 18:51:11 charon 64676 13[IKE] <232> sending cert request for "CN=mobile-ipsec-ca" May 12 18:51:11 charon 64676 13[ENC] <232> generating IKE_SA_INIT response 0 [ SA KE No CERTREQ N(CHDLESS_SUP) N(MULT_AUTH) ] May 12 18:51:11 charon 64676 13[NET] <232> sending packet: from 72.xxx.xxx.xxx[500] to 169.228.66.212[56398] (673 bytes) May 12 18:51:11 charon 64676 13[NET] <232> received packet: from 169.228.66.212[56398] to 72.xxx.xxx.xxx[500] (432 bytes) May 12 18:51:11 charon 64676 13[ENC] <232> parsed IKE_AUTH request 1 [ IDi CERTREQ SA TSi TSr ] May 12 18:51:11 charon 64676 13[IKE] <232> received cert request for unknown ca with keyid 8a:93:82:f4:c8:04:08:34:5e:5b:c2:f8:d7:55:d3:c2:e7:62:48:cf May 12 18:51:11 charon 64676 13[IKE] <232> received 1 cert requests for an unknown ca May 12 18:51:11 charon 64676 13[CFG] <232> looking for peer configs matching 72.xxx.xxx.xxx[%any]...169.228.66.212[research-scan@sysnet.ucsd.edu] May 12 18:51:11 charon 64676 13[CFG] <232> candidate "con-mobile", match: 1/1/1052 (me/other/ike) May 12 18:51:11 charon 64676 13[CFG] <con-mobile|232> selected peer config 'con-mobile' May 12 18:51:11 charon 64676 13[IKE] <con-mobile|232> initiating EAP_IDENTITY method (id 0x00) May 12 18:51:11 charon 64676 13[IKE] <con-mobile|232> authentication of '72.xxx.xxx.xxx' (myself) with RSA signature successful May 12 18:51:11 charon 64676 13[IKE] <con-mobile|232> sending end entity cert "CN=72.xxx.xxx.xxx" May 12 18:51:11 charon 64676 13[ENC] <con-mobile|232> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] May 12 18:51:11 charon 64676 13[NET] <con-mobile|232> sending packet: from 72.xxx.xxx.xxx[500] to 169.228.66.212[56398] (1328 bytes) May 12 18:51:41 charon 64676 13[JOB] <con-mobile|232> deleting half open IKE_SA with 169.228.66.212 after timeout May 12 18:51:41 charon 64676 13[IKE] <con-mobile|232> IKE_SA con-mobile[232] state change: CONNECTING => DESTROYING