Man in the Middle??



  • OK, so I'm setting up a site-to-site VPN between my office, and an ISP's network containing some servers of ours.  I was given the info from the ISP for this connection, and so I did my best to translate the Cisco settings to the pfsense settings.  I've been going through the forums, and everywhere else online that I can think of for this error:

    Error: exchange Identity Protection not allowed in any applicable rmconf
    

    And while I've found several people who've asked a similar question on here, such as http://forum.pfsense.org/index.php?topic=39044.0, and http://forum.pfsense.org/index.php?topic=38025.0, I haven't been able to solve my issue.  From the forums, I've been able to infer that it's likely a problem with my phase 1 settings, in particular with a mismatch on main/agressive mode.  But I've tried both, with no success.  The logs don't appear to change between the two modes.

    However, I discovered something really strange, and possibly disconcerting.  My office WAN IP is registered as 71.14.x.x, and my ISP's side is registered as 216.24.x.x, however, this log is what I get below:

    Apr 11 12:39:32 10.xxx.xxx.xxx racoon: DEBUG: ===
    Apr 11 12:39:32 10.xxx.xxx.xxx racoon: DEBUG: 204 bytes message received from 174.46.126.xxx[500] to 71.14.xxx.xxx[500]
    Apr 11 12:39:32 10.xxx.xxx.xxx racoon: DEBUG:  c6f959ab 5f27ef97 00000000 00000000 01100200 00000000 000000cc 0d000060 00000001 00000001 00000054 01010002 03000028 01010000 80010007 800e0080 80020002 80040002 80030001 800b0001 000c0004 00015180 00000024 02010000 80010007 800e0080 80020001 80040001 80030001 800b0001 800c7080 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56 00000014 90cb8091 3ebb696e 086381b5 ec427b1f
    Apr 11 12:39:32 10.xxx.xxx.xxx racoon: [174.46.126.xxx] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    ```Who in the heck is 174.46.126.xxx?  I checked with our ISP, and they say it's not theirs.  I did a traceroute, and it doesn't show up in there either.  A geolocate of the IP address shows it's in Birmingham, AL, when I & my ISP are in Atlanta, GA.  I can't see how this IP address is responding to us.  Any ideas?


  • I still don't know about the random IP from elsewhere, but I ended up getting the IPSec connection itself fixed; a setting on the ISP's end seemed to not be in order.



  • I would bet the mysterious traffic (Phase 1 negotiation attempt) from 174.46.126.xxx was probably a 'brute force' or 'fingerprinting' hack attempt.  I regularly see these hack attempts on the various VPN endpoints that I oversee.

    Without a robust Network Intrusion Prevention System, there is really no way to stop these attempts other than creating additional firewall rules.  For example, you could create a catch-all 'Block' rule on the WAN interface that would keep the ISAKMP protocol from arriving from the public Internet.  You could then create an 'Allow' rule for all remote VPN peers, and prioritize this Allow rule above the Block rule.  Of course, this would only be a viable solution for site-to-site VPN's.  It would not work for client VPN's because you never know what IP addresses your clients will be coming from (assuming a typical, uncontrollable workforce).

    There are IPsec cracking tools and penetration testers out there, but I believe nothing is really cost-effective against a Main Mode IPsec configuration with strong encryption and keys (passwords)…other than creating a Denial of Service (DoS) condition.  An Aggressive Mode configuration is what the black hats are usually attacking.


  • Rebel Alliance Developer Netgate

    Not that it's directly relevant to what was happening here, but in 2.1 we also support Base mode, which is a hybrid of Main and Aggressive that supports the flexible identity options of Aggressive but with the Security of base.

    Also on pfSense, for site to site tunnels, we add firewall rules to only pass udp/500 and ESP from the configured endpoint IP. Unless you added your own separate rules for that (and disabled the auto-added VPN rules), it wouldn't let that through unless you also had mobile IPsec configured.



  • I see it here all the time:

    I'd only get worried if my user password was user1/password1 or some other simple thing and my shared secret was "shared".
    As long as its saying "exchange Identity Protection not allowed in any applicable rmconf" I'm not worried.
    I'll get worried when its not throwing that error :o
    (It would be nice to get some fail2ban like functionality in pfsense for IPsec, SSH, Openvpn and all the other places guys like my little friend from Amsterdam here will try to get into.)

    Jul 23 03:28:45 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:28:45 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:28:49 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:28:49 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:28:50 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:28:50 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:28:51 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:28:51 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:28:54 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:28:54 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:28:57 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:28:57 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:28:58 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:28:58 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:28:59 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:28:59 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:02 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:29:02 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:05 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:29:05 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:08 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:29:08 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:11 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:29:11 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:14 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:14 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:29:17 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:17 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:29:20 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:20 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:29:23 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:23 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:29:26 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:26 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:29:29 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:29 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:29:32 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:32 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:29:35 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:35 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:29:38 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:38 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    Jul 23 03:29:41 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129].
    Jul 23 03:29:41 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.