USG Flex 200H: Unknown and unwanted VPN connection tries

e_mano_e
e_mano_e Posts: 111  Ally Member
First Answer First Comment Friend Collector Fifth Anniversary
in USG FLEX H Series

Using: USG Flex 200H / Firmware V1.32(ABWV.0)

I've configured IPSec VPN (IKEv2) to allow access behind the Firewall.

But no one was using a VPN connection in the past days.

But I'm seeing many VPN connection tries in the log.
All are from outside my home country (Germany).
I'm seeing tries from USA, China, Great Britain.

I've configured Geo-blocking to only allow VPN connections from a few countries (and the mentioned countries are not in this list) but I'm still seeing these VPN connection tries.

Here is a screenshot of the log:

image.png

Is there anything more I can do to avoid these connection tries?

Maybe my configuration for the Geo-blocking is faulty?

What's the best way to avoid these connection tries?

Thanks!

Accepted Solution

  • Zyxel_James
    Zyxel_James Posts: 739  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓

    @e_mano_e

    I have replied to you in PM.
    It's incorrect security policy configuration.

    To limit VPN packet from other countries, you need to create a new by From WAN to ZyWall, Source: Geo-IP object, Service: AH, ESP, IKE, NATT, action: Allow.

    And also removing AH, ESP, IKE, NATT from Default_Allow_WAN_To_ZyWALL.

All Replies

  • PeterUK
    PeterUK Posts: 3,775  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 24

    What can be done is use DDNS on the remote end so you know the IP and have firewall rule from WAN to Zywall source FQDN of the connecting DDNS

  • Zyxel_James
    Zyxel_James Posts: 739  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    Is it possible to provide your configuration via private message? I would like to check your security policy with Geo-IP

  • e_mano_e
    e_mano_e Posts: 111  Ally Member
    First Answer First Comment Friend Collector Fifth Anniversary

    Hi @Zyxel_James

    I send you a PM.

  • MCFH
    MCFH Posts: 8  Freshman Member
    First Comment Friend Collector Seventh Anniversary

    I am seeing something very similar to this with my SIP traffic that has geo-filtering active on the WAN-to-Device rule and seeing loads of attacks reaching my SIP server

  • Zyxel_USG_User
    Zyxel_USG_User Posts: 67  Ally Member
    First Comment Friend Collector

    Geoblocking works like a charm, if set properly.

    I also read somewhere a while ago (not even sure if it was here?), about how setting it properly. I needed some tuning in the end to harden the system- see below.

    When it works, make sure that it updates the database once per week (that is the maximum polling what my device allows).

    Some ranges from a country may not be reflected correctly. I block these subnets / ranges then manually. After a while, everything is set and you will have VPN connections only from the countries allowed. If you build up your groups granulary eg per country, or per continent if you will never travel there, you can manually enable respectively disable regions or countries when you travel there, afterwards blocking them again.

    If it is set properly, there will be no such VPN-relevant entries in the log.

    The procedure is two-fold. One setting is to be done in the GeoIP, then the second one using the references from the GeoIP in the security policy.

    Hopefully, the Support here will post the correct procedures.

  • Zyxel_USG_User
    Zyxel_USG_User Posts: 67  Ally Member
    First Comment Friend Collector
    edited April 28
    1. define your WAN interface as an entry, eg OwnFixedIP= IP address, then define Country1=… (use one of these: continent, range, subnet,… - accordingly)
    2. go to security policy/policy control, then build the following rule: from any to ZyWall, source=Country1, destination=OwnFixedIP, service any, device any, user any, action deny, and log or not. I log them as alerts in red, therefore I can ignore them as having dealt with them and see only new entries in black.
    3. repeat 1 and 2 for country, range, specific IP, continent.
  • PeterUK
    PeterUK Posts: 3,775  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Its likely you have a default rule for VPN that allows any

  • Zyxel_James
    Zyxel_James Posts: 739  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓

    @e_mano_e

    I have replied to you in PM.
    It's incorrect security policy configuration.

    To limit VPN packet from other countries, you need to create a new by From WAN to ZyWall, Source: Geo-IP object, Service: AH, ESP, IKE, NATT, action: Allow.

    And also removing AH, ESP, IKE, NATT from Default_Allow_WAN_To_ZyWALL.

  • e_mano_e
    e_mano_e Posts: 111  Ally Member
    First Answer First Comment Friend Collector Fifth Anniversary

    Hi @Zyxel_James

    understood. But wouldn't it be enough to just set the source to the Geo-IP object within the default policy rule named "WAN_to_Device"? Because when I remove AH, ESP, IKE and NATT from the service object "Default_Allow_WAN_To_ZyWALL" nothing remains in this service object. And the new policy rule that I should create looks for me as an exact copy of the default "WAN_to_Device".

  • PeterUK
    PeterUK Posts: 3,775  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Defaults are they as a guide and for Default login access you don't have to use them if you know what your doing

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)