ATP100: Unknown IKE login tries

e_mano_e
e_mano_e Posts: 82  Ally Member
First Anniversary 10 Comments Friend Collector First Answer
Hi,

I just noticed in my ATP100 that there are the following IKE login tries from IP adresses located in the US.
These login tries are unknown users.

What is the best way to block these login tries?

I could use GeoIP-Blocking because there is no need for users from the US to login to my ATP100 (I'm located in Germany).

Are there other ways to block these logins?

Here is a screenshot of my ATP100 Log:


Thanks.
Jens

All Replies

  • MikeForshock
    MikeForshock Posts: 34  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Perhaps a brute-force detection or throttling.
    After x attempts per x time, drop for x duration.
  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Hi, i had a customer in the same situation.
    I created a geo-ip white list... all other countries are blocked.

  • e_mano_e
    e_mano_e Posts: 82  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    @Fred_77 Sounds good. But where do I find the white list?
  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Hi,
    you have to create your white list:
    Menu Object => Address/GeoIP => Address
    then
    +add => type "Geography" (you can chose a single region or a continent)

    Create as many items as you need, then go to "Address Group"
    +add => name "White list Geo IP", address type "Geography" and add all the geo ip address created before.

    Now you need a policy WAN_to_Zywall where "source" is your Geo Ip group for services IKE, NAT-T, AH and ESP... also UDP 1701 if you need L2TP

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,039  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    As Fred_77 mentioned that you can refer to the below steps to configure your device.

    STEP1. Add a Geo IP address object.


    STEP2. Add this Geo IP object to a group list.


    STEP3. Add a VPN service object that includes AH、ESP、IKE、NATT、L2TP-UDP.


    STP4. Add a security policy to avoid those source IPs that belong to the GeoIP list to establish VPN connections to your device.



  • e_mano_e
    e_mano_e Posts: 82  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2022
    @Zyxel_Jeff: Thanks, but this will reject VPN traffic from USA only. And I do not want to add 100 countries to the GeoIP-Group.

    Will it also work if I create a GeoIP-Group with 3 or 4 countries that are allowed and then create the same policy rule with "Action=allow". When the policy rule explicitely allows VPN traffic for the GeoIP-Group this also means that all other countries are not allowed, right?
    Edit: No. I believe this can not work this way. Such a policy rule will not be evaluated when the source GeoIP is USA.

    Another idea: Could I just edit the default policy rule "WAN_to_Device" and change the source to my created GeoIP-Whitelist-Group?
  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    @e_mano_e IMVHO three things should be done.
    #1
    On top of rule WAN_To_Device, a rule with
    From WAN to Zywall
    From GEO IP group to Any
    Services IKE and NATT  (create a group)
    Allow
    #2
    "duplicate" the group Default_Allow_WAN_To_Device without IKE and NATT with another name (I.E: Custom_allow_Wan_To_Device)
    #3
    assign the new created group to the service list for the rule WAN_To_Device

    Without explicit denial to other geo-ip nations/groups you can allow IKE only from the nations that you wish.With a drawback: L2TP from other nations will be automatically excluded due to the rule at point #1.

    This is one way to manage the requests. Any other specific cases/costrains must be evaluated before create a test ruleset.

    As already stated: BBB. Backup Before Begin. Copy the startup-config.conf as a "failsafe" for your tricks and test. If something fails, it will be available.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,039  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @e_mano_e

     

    It is a method to allow the specific Geo IPs to establish VPN to your device, too.

    But because the Default_Allow_WAN_To_Zywall service group also includes HTTP and HTTPS services.

    It would only allow the specific Geo IPs to access your device via HTTP and HTTPS, too.

    So, you can execute the below steps:

    STEP1. 

    You can add a security policy on the topper priority to allow those Geo IPs to establish VPN(site to site, L2TP) with your device.  

     

    STEP2. 

    And edit the Default_Allow_WAN_To_Zywall service to exclude AH, ESP, IKE, NATT only left HTTP and HTTPs, as below:



     


     

     

Security Highlight