Hot!Unknown remote IP negotiations error

Author
one.co.il
Bronze Member
  • Total Posts : 21
  • Scores: 0
  • Reward points: 0
  • Joined: 2013/01/06 06:11:33
  • Status: offline
2018/11/07 22:28:43 (permalink)
0

Unknown remote IP negotiations error

Hi
since I turn on mail notification on VPN event I'm getting the error allot
MY_IP is always my WAN1 IP
UNKNOW_IP is diffrent vevrytime, when i get this error repeatedly the IP is all at the same subnet (only last number change)
---------
Message meets Alert condition
date=[link=tel:2018-11-08]2018-11-08[/link] time=05:31:26 devname=FG100D devid=FG100D logid=[link=tel:0101037128]0101037128[/link]type=event subtype=vpn level=error vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=UNKNOW_IP locip=MY_WAN_IP remport=20550 locport=500 outintf="wan1" cookies="3e35c70729dfedef/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR  
-------
what this massage indicate? is it attack on my WAN?
what can i do to prevent this error 
#1

5 Replies Related Threads

    m0j0
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/02/19 16:01:20
    • Status: offline
    Re: Unknown remote IP negotiations error 2018/11/07 22:50:05 (permalink)
    0
    Well, it could be someone trying to brute force their way into your network.  If you only have site-to-site tunnels configured then you really don't have anything to worry about.  If you have client IPSec configured then there is a very small chance they could eventually get in (very small).
     
    If it's definitely always the same remote subnet and you have client IPSec configured, you could always put a block rule for that subnet above your IPSec policies.  Or, put a blackhole route for that subnet in your static route table.  Or, if you have a router outside your firewall that you have control of, put the blackhole route there.
     
    Mark
     
    #2
    Toshi Esumi
    Expert Member
    • Total Posts : 1215
    • Scores: 82
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Unknown remote IP negotiations error 2018/11/08 08:43:53 (permalink)
    0
    Regular FW policies wouldn't block IPSec attempts since the destination is itself. But "local-in-policy" does.
    http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Concepts%20-%20Firewall/Local-In%20Policies.htm?Highlight=local-in-policy
     
    #3
    rwpatterson
    Expert Member
    • Total Posts : 8299
    • Scores: 181
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Unknown remote IP negotiations error 2018/11/08 11:00:48 (permalink)
    0
    Personally, I would be doing the blocking on the gateway router myself, if the FGT isn't it. Why bog down the FGT with bogus traffic?

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #4
    one.co.il
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/01/06 06:11:33
    • Status: offline
    Re: Unknown remote IP negotiations error 2018/11/11 23:24:38 (permalink)
    0
    Hi this massages repeat every night for 2 to 5 AM
    I have a few site to site Tunnels but also a remote access VPN
    I'm don't know dose IPs,
    what is the best way to block dose address?
     
    #5
    one.co.il
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/01/06 06:11:33
    • Status: offline
    Re: Unknown remote IP negotiations error 2018/11/12 07:28:14 (permalink)
    0
    toshiesumi
    Regular FW policies wouldn't block IPSec attempts since the destination is itself. But "local-in-policy" does.
    http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Concepts%20-%20Firewall/Local-In%20Policies.htm?Highlight=local-in-policy

     
    Is this the correct Setup to block IPsec attempts?
    config firewall local-in-policy
     edit <policy_number>
           set intf Wan1
           set srcaddr Can I use Address Group to setup Blacklist group
           set dstaddr Wan1 IP
           set action {accept | deny}
           set service IPsec
           set schedule Always
     end
    #6
    Jump to:
    © 2018 APG vNext Commercial Version 5.5