Strange IPSEC traffic

• Previous message (by thread): Strange IPSEC traffic
• Next message (by thread): Strange IPSEC traffic
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I can confirm we started seeing this on Nov 9th at 19:10 UTC across all markets from a variety of sources.

If you want to filter it with ingress ACLs they need to include subnet base and broadcast addresses in addition to interface address, so a router at 192.168.1.1/30 with a customer potentially running IPSEC at 192.168.1.2 would require all this to silence the log messages:

access-list 100 deny esp any host 192.168.1.0
access-list 100 deny esp any host 192.168.1.1
access-list 100 deny esp any host 192.168.1.3
access-list 100 permit ip any any

I started with an ACL only on the interface address and then noticed I was still getting logs on base/broadcast addresses.

Could be recon for the IKEv2 vulnerability in this:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC
https://blogs.cisco.com/security/akira-ransomware-targeting-vpns-without-multi-factor-authentication

Or zero day. Even though the devices they are hitting are not configured for IPSEC we are filtering it anyway (and for good measure " no crypto isakmp enable").


Mike

• Previous message (by thread): Strange IPSEC traffic
• Next message (by thread): Strange IPSEC traffic
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]