How to block attack ipsec pkt

General questions
1

We observe the log and find a lot of ipsec detection packets. How should I block or protect it?

Aug 13 09:47:56 IPSec-Router pluto[3831]: packet from 167.250.202.13:49531: not enough room in input packet for ISAKMP Message
Aug 13 09:47:56 IPSec-Router pluto[3831]: packet from 167.250.202.13:49531: sending notification PAYLOAD_MALFORMED to 167.250.202.13:49531
Aug 13 09:47:56 IPSec-Router pluto[3831]: packet from 167.250.202.13:19551: not enough room in input packet for ISAKMP Message
Aug 13 09:47:56 IPSec-Router pluto[3831]: packet from 167.250.202.13:19551: sending notification PAYLOAD_MALFORMED to 167.250.202.13:19551
Aug 13 09:47:58 IPSec-Router pluto[3831]: packet from 167.250.202.13:33656: not enough room in input packet for ISAKMP Message
Aug 13 09:47:58 IPSec-Router pluto[3831]: packet from 167.250.202.13:33656: sending notification PAYLOAD_MALFORMED to 167.250.202.13:33656
Aug 13 09:47:58 IPSec-Router pluto[3831]: packet from 167.250.202.13:19551: not enough room in input packet for ISAKMP Message
Aug 13 09:47:58 IPSec-Router pluto[3831]: packet from 167.250.202.13:19551: sending notification PAYLOAD_MALFORMED to 167.250.202.13:19551
Aug 13 09:47:59 IPSec-Router pluto[3831]: packet from 167.250.202.13:19551: not enough room in input packet for ISAKMP Message
Aug 13 09:47:59 IPSec-Router pluto[3831]: packet from 167.250.202.13:19551: sending notification PAYLOAD_MALFORMED to 167.250.202.13:19551
Aug 13 09:48:00 IPSec-Router pluto[3831]: packet from 167.250.202.13:61456: not enough room in input packet for ISAKMP Message
Aug 13 09:48:00 IPSec-Router pluto[3831]: packet from 167.250.202.13:61456: sending notification PAYLOAD_MALFORMED to 167.250.202.13:61456
Aug 13 09:48:01 IPSec-Router pluto[3831]: packet from 167.250.202.13:41425: not enough room in input packet for ISAKMP Message
Aug 13 09:48:01 IPSec-Router pluto[3831]: packet from 167.250.202.13:41425: sending notification PAYLOAD_MALFORMED to 167.250.202.13:41425
Aug 13 09:48:02 IPSec-Router pluto[3831]: packet from 167.250.202.13:33656: not enough room in input packet for ISAKMP Message
Aug 13 09:48:02 IPSec-Router pluto[3831]: packet from 167.250.202.13:33656: sending notification PAYLOAD_MALFORMED to 167.250.202.13:33656
Aug 13 09:48:02 IPSec-Router pluto[3831]: packet from 167.250.202.13:61456: not enough room in input packet for ISAKMP Message
Aug 13 09:48:02 IPSec-Router pluto[3831]: packet from 167.250.202.13:61456: sending notification PAYLOAD_MALFORMED to 167.250.202.13:61456
Aug 13 09:48:03 IPSec-Router pluto[3831]: packet from 167.250.202.13:49531: not enough room in input packet for ISAKMP Message
Aug 13 09:48:03 IPSec-Router pluto[3831]: packet from 167.250.202.13:49531: sending notification PAYLOAD_MALFORMED to 167.250.202.13:49531
Aug 13 09:48:03 IPSec-Router pluto[3831]: packet from 167.250.202.13:49531: not enough room in input packet for ISAKMP Message
Aug 13 09:48:03 IPSec-Router pluto[3831]: packet from 167.250.202.13:49531: sending notification PAYLOAD_MALFORMED to 167.250.202.13:49531
Aug 13 09:48:03 IPSec-Router pluto[3831]: packet from 167.250.202.13:63054: not enough room in input packet for ISAKMP Message
Aug 13 09:48:03 IPSec-Router pluto[3831]: packet from 167.250.202.13:63054: sending notification PAYLOAD_MALFORMED to 167.250.202.13:63054
Aug 13 09:48:05 IPSec-Router pluto[3831]: packet from 167.250.202.13:60344: not enough room in input packet for ISAKMP Message
Aug 13 09:48:05 IPSec-Router pluto[3831]: packet from 167.250.202.13:60344: sending notification PAYLOAD_MALFORMED to 167.250.202.13:60344
Aug 13 09:48:06 IPSec-Router pluto[3831]: packet from 167.250.202.13:19551: not enough room in input packet for ISAKMP Message

2

Hi,

it depends on how open your vpn gateway have to be. If you have connections from known peers you can set a local-firewall rule to the ipsec interface an prevent all ipsec traffic from unknown sources.

if you have connections from all over the world or dynamic IP addresses. It’s nearly impossible to do this with a stateful firewall. In this case an Intrusion prevention or detection system could be a choice. But this is also not a 100% protection.

VyOS itself don’t provide a IDS at the moment. I know there is something on the roadmap but without a timeline.

3

further to this issue… if i add the IP from one of these PAYLOAD_MALFORMED occurrences to an address group which is part of a firewall drop rule, will this block further attempts??

i want to tail the log, pull the IP, add it to an address group, and reload the firewall. that is, if tail -f worked, so using another method.