How to prevent the IKE daemon from responding to IKEv1 requests?

Zyxel_USG_User

Running latest firmware on a USG20W-VPN. All my IPSec clients (SecuExtender on Win11/macOS, native iOS, strongSwan on Android) are IKEv2 only. The VPN gateways are configured as IKEv2 only - the IKE Version radio button is set to IKEv2 and greyed out (as expected).

Despite this, the IKE daemon still engages with inbound IKEv1 Main Mode requests on UDP/500. Log excerpt from an opportunistic scanner hitting the public IP from an Azure network range based somewhere :) :

Recv Main Mode request from [x.x.x.x]

Recv IKE sa: SA([0] protocol = IKE (1), 3DES, HMAC-SHA1 PRF, HMAC-SHA1-96, 1024 bit MODP, ...

[SA] : Tunnel [MyTunnel] Phase 1 authentication method mismatch

[SA] : No proposal chosen

Send:[NOTIFY:NO_PROPOSAL_CHOSEN]

So the daemon parses the IKEv1 packet, attempts to match it against an IKEv2-only gateway, fails at Phase 1 auth, and replies with NO_PROPOSAL_CHOSEN. No tunnel establishes - but the daemon is clearly reachable on IKEv1 and willing to negotiate up to the auth method check.

I'd like to make the device silently drop IKEv1 entirely, so scanners get no response on UDP/500 unless they speak IKEv2.

Things I've already checked or ruled out:

• Both VPN gateways are IKEv2 only - no IKEv1 gateway exists
• No "global IKE version" setting visible in the GUI
• Geo-blocking via Security Policy works fine when we're home, but we travel globally so I can't restrict source countries during travel windows - the IPSEC VPN protocols suite has to allow ANY when traveling.
• Port-based blocking won't work since IKEv2 uses the same UDP/500 and UDP/4500

Questions:

1. Is there a global setting (GUI or CLI) to disable the IKEv1 responder on the IKE daemon while keeping IKEv2 active?
2. If not, has anyone successfully built an ADP custom signature matching the IKE header version byte (0x10 for v1 vs 0x20 for v2) at the appropriate offset inside the UDP payload? Specifically, I'd want to confirm the correct offset on this platform's ADP content-matching engine and that it inspects UDP payload, not just headers.
3. Any other approach I'm missing on this hardware?
4. Separately: is there a way to suppress the NOTIFY:NO_PROPOSAL_CHOSEN response and have the daemon silently drop on mismatch instead? The notify reply is permitted but not required by either RFC 2409 (IKEv1) or RFC 7296 (IKEv2), and replying confirms to scanners that a live IKE responder is present even when negotiation fails. Silent drop would make the device look closed to passive probing.

PeterUK

Seems like I good idea

Zyxel_Melen

Hi @Zyxel_USG_User

No, there's no method to disable IKEv1. And ADP can't add customer signature.

I'm checking if this requirement can use Intrusion Prevention System (IPS) to drop the traffic.

Separately: is there a way to suppress the NOTIFY:NO_PROPOSAL_CHOSEN response and have the daemon silently drop on mismatch instead? The notify reply is permitted but not required by either RFC 2409 (IKEv1) or RFC 7296 (IKEv2), and replying confirms to scanners that a live IKE responder is present even when negotiation fails. Silent drop would make the device look closed to passive probing.

Currently, no. Not sure if other vendor has this option?

PeterUK

What I they want is a first packet match to UDP port 500 to block IKEv1

Or only have the daemon reply on match of a tunnel configured like Phase 1 Encryption, authentication and DH but this would mean no feed back as to why the connection failed if setup wrong

Zyxel_Melen

Hi @Zyxel_USG_User

IPS currently can't help for this requirement, the traffics to device won't be applied with IPS police. Since the limitation of USG FLEX/ATP series, I will help you to create an idea post for this requirement on USG FLEX H series.

Zyxel_USG_User

Thanks Zyxel_Melen, I voted there :)