Disable VPN access

Options
mat17
mat17 Posts: 45  Freshman Member
First Anniversary 10 Comments Friend Collector

Hello,

I don't understand: I don't have any activated IPSEC profiles, nor SSL, nor L2TP.

Why I this guy is able to initiate a connexion with my firewall and why firewall answer?

10

2023-03-01 13:30:22

info

IKE

ISAKMP SA [] is disconnected

222.154.x.x:500

184.105.x.x:34998

IKE_LOG

11

2023-03-01 13:30:22

info

IKE

The cookie pair is : 0x3e35c7072 / 0x294ccd95f

222.154.x.x:500

184.105.x.x:34998

IKE_LOG

12

2023-03-01 13:29:22

info

IKE

Send:[NOTIFY:NO_PROPOSAL_CHOSEN]

222.154.x.x:500

184.105.x.x:34998

IKE_LOG

13

2023-03-01 13:29:22

info

IKE

The cookie pair is : 0x3e35c7072 / 0x294ccd95f

222.154.x.x:500

184.105.x.x:34998

IKE_LOG

14

2023-03-01 13:29:22

info

IKE

Recv:[SA]

184.105.x.x:34998

222.154.x.x:500

IKE_LOG

15

2023-03-01 13:29:22

info

IKE

The cookie pair is : 0x294ccd95f / 0x3e35c70729

184.105.x.x:34998

222.154.x.x:500

IKE_LOG

16

2023-03-01 13:29:22

info

IKE

Recv Main Mode request from [184.105.x.x]

184.105.x.x:34998

222.154.x.x:500

IKE_LOG

17

2023-03-01 13:29:22

info

IKE

The cookie pair is : 0x3e35c7072 / 0x0000000000

184.105.x.x:34998

222.154.x.x:500

Is there a way to turn off VPN connexions?

Kind regards

Accepted Solution

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,373  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @mat17

    For easy setup of VPN configuration on the firewall, it allows VPN service ports from the internet to the device by default policy control rule.

    However, if you would like to block all VPN requests from the internet, you can remove UDP500(IKE) and UDP4500(NATT) service ports from the "Default_Allow_WAN_To_ZyWALL" object group.

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,373  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @mat17

    For easy setup of VPN configuration on the firewall, it allows VPN service ports from the internet to the device by default policy control rule.

    However, if you would like to block all VPN requests from the internet, you can remove UDP500(IKE) and UDP4500(NATT) service ports from the "Default_Allow_WAN_To_ZyWALL" object group.

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hello @mat17
    If you have IPsec, L2TP, and SSL profile, the logs will still show the IKE logs when IPSec, SSL, and L2TP is inactive, it's inevitable, however, the device won't respond actually.
    If don't have any IPsec, L2TP, and SSL profile, then you can remove IKE, ESP, and NATT from the object Default_Allow_WAN_To_ZyWALL, then there will be no related log. (like Stanley suggested)
    You can capture packets on the WAN interface to verify the behavior, so don't worry about it.

    If you don't use any VPN feature and find it annoying, you can disable the VPN related log, please go to CONFIGURATION > Log & Settings > System Log, and disable the log of the VPN category, thank you.

    James

Security Highlight