Disable VPN access

mat17
mat17 Posts: 45  Freshman Member
First Comment Friend Collector Fourth Anniversary
in Security

Hello,

I don't understand: I don't have any activated IPSEC profiles, nor SSL, nor L2TP.

Why I this guy is able to initiate a connexion with my firewall and why firewall answer?

10

2023-03-01 13:30:22

info

IKE

ISAKMP SA [] is disconnected

222.154.x.x:500

184.105.x.x:34998

IKE_LOG

11

2023-03-01 13:30:22

info

IKE

The cookie pair is : 0x3e35c7072 / 0x294ccd95f

222.154.x.x:500

184.105.x.x:34998

IKE_LOG

12

2023-03-01 13:29:22

info

IKE

Send:[NOTIFY:NO_PROPOSAL_CHOSEN]

222.154.x.x:500

184.105.x.x:34998

IKE_LOG

13

2023-03-01 13:29:22

info

IKE

The cookie pair is : 0x3e35c7072 / 0x294ccd95f

222.154.x.x:500

184.105.x.x:34998

IKE_LOG

14

2023-03-01 13:29:22

info

IKE

Recv:[SA]

184.105.x.x:34998

222.154.x.x:500

IKE_LOG

15

2023-03-01 13:29:22

info

IKE

The cookie pair is : 0x294ccd95f / 0x3e35c70729

184.105.x.x:34998

222.154.x.x:500

IKE_LOG

16

2023-03-01 13:29:22

info

IKE

Recv Main Mode request from [184.105.x.x]

184.105.x.x:34998

222.154.x.x:500

IKE_LOG

17

2023-03-01 13:29:22

info

IKE

The cookie pair is : 0x3e35c7072 / 0x0000000000

184.105.x.x:34998

222.154.x.x:500

Is there a way to turn off VPN connexions?

Kind regards

Accepted Solution

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Answer ✓

    Hi @mat17

    For easy setup of VPN configuration on the firewall, it allows VPN service ports from the internet to the device by default policy control rule.

    However, if you would like to block all VPN requests from the internet, you can remove UDP500(IKE) and UDP4500(NATT) service ports from the "Default_Allow_WAN_To_ZyWALL" object group.

    1.png

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Answer ✓

    Hi @mat17

    For easy setup of VPN configuration on the firewall, it allows VPN service ports from the internet to the device by default policy control rule.

    However, if you would like to block all VPN requests from the internet, you can remove UDP500(IKE) and UDP4500(NATT) service ports from the "Default_Allow_WAN_To_ZyWALL" object group.

    1.png

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    Hello @mat17
    If you have IPsec, L2TP, and SSL profile, the logs will still show the IKE logs when IPSec, SSL, and L2TP is inactive, it's inevitable, however, the device won't respond actually.
    If don't have any IPsec, L2TP, and SSL profile, then you can remove IKE, ESP, and NATT from the object Default_Allow_WAN_To_ZyWALL, then there will be no related log. (like Stanley suggested)
    You can capture packets on the WAN interface to verify the behavior, so don't worry about it.

    If you don't use any VPN feature and find it annoying, you can disable the VPN related log, please go to CONFIGURATION > Log & Settings > System Log, and disable the log of the VPN category, thank you.

    16121 disable vpn log.png

    James

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)