How to block attack ipsec pkt

We observe the log and find a lot of ipsec detection packets. How should I block or protect it?

Aug 13 09:47:56 IPSec-Router pluto[3831]: packet from 167.250.202.13:49531: not enough room in input packet for ISAKMP Message
Aug 13 09:47:56 IPSec-Router pluto[3831]: packet from 167.250.202.13:49531: sending notification PAYLOAD_MALFORMED to 167.250.202.13:49531
Aug 13 09:47:56 IPSec-Router pluto[3831]: packet from 167.250.202.13:19551: not enough room in input packet for ISAKMP Message
Aug 13 09:47:56 IPSec-Router pluto[3831]: packet from 167.250.202.13:19551: sending notification PAYLOAD_MALFORMED to 167.250.202.13:19551
Aug 13 09:47:58 IPSec-Router pluto[3831]: packet from 167.250.202.13:33656: not enough room in input packet for ISAKMP Message
Aug 13 09:47:58 IPSec-Router pluto[3831]: packet from 167.250.202.13:33656: sending notification PAYLOAD_MALFORMED to 167.250.202.13:33656
Aug 13 09:47:58 IPSec-Router pluto[3831]: packet from 167.250.202.13:19551: not enough room in input packet for ISAKMP Message
Aug 13 09:47:58 IPSec-Router pluto[3831]: packet from 167.250.202.13:19551: sending notification PAYLOAD_MALFORMED to 167.250.202.13:19551
Aug 13 09:47:59 IPSec-Router pluto[3831]: packet from 167.250.202.13:19551: not enough room in input packet for ISAKMP Message
Aug 13 09:47:59 IPSec-Router pluto[3831]: packet from 167.250.202.13:19551: sending notification PAYLOAD_MALFORMED to 167.250.202.13:19551
Aug 13 09:48:00 IPSec-Router pluto[3831]: packet from 167.250.202.13:61456: not enough room in input packet for ISAKMP Message
Aug 13 09:48:00 IPSec-Router pluto[3831]: packet from 167.250.202.13:61456: sending notification PAYLOAD_MALFORMED to 167.250.202.13:61456
Aug 13 09:48:01 IPSec-Router pluto[3831]: packet from 167.250.202.13:41425: not enough room in input packet for ISAKMP Message
Aug 13 09:48:01 IPSec-Router pluto[3831]: packet from 167.250.202.13:41425: sending notification PAYLOAD_MALFORMED to 167.250.202.13:41425
Aug 13 09:48:02 IPSec-Router pluto[3831]: packet from 167.250.202.13:33656: not enough room in input packet for ISAKMP Message
Aug 13 09:48:02 IPSec-Router pluto[3831]: packet from 167.250.202.13:33656: sending notification PAYLOAD_MALFORMED to 167.250.202.13:33656
Aug 13 09:48:02 IPSec-Router pluto[3831]: packet from 167.250.202.13:61456: not enough room in input packet for ISAKMP Message
Aug 13 09:48:02 IPSec-Router pluto[3831]: packet from 167.250.202.13:61456: sending notification PAYLOAD_MALFORMED to 167.250.202.13:61456
Aug 13 09:48:03 IPSec-Router pluto[3831]: packet from 167.250.202.13:49531: not enough room in input packet for ISAKMP Message
Aug 13 09:48:03 IPSec-Router pluto[3831]: packet from 167.250.202.13:49531: sending notification PAYLOAD_MALFORMED to 167.250.202.13:49531
Aug 13 09:48:03 IPSec-Router pluto[3831]: packet from 167.250.202.13:49531: not enough room in input packet for ISAKMP Message
Aug 13 09:48:03 IPSec-Router pluto[3831]: packet from 167.250.202.13:49531: sending notification PAYLOAD_MALFORMED to 167.250.202.13:49531
Aug 13 09:48:03 IPSec-Router pluto[3831]: packet from 167.250.202.13:63054: not enough room in input packet for ISAKMP Message
Aug 13 09:48:03 IPSec-Router pluto[3831]: packet from 167.250.202.13:63054: sending notification PAYLOAD_MALFORMED to 167.250.202.13:63054
Aug 13 09:48:05 IPSec-Router pluto[3831]: packet from 167.250.202.13:60344: not enough room in input packet for ISAKMP Message
Aug 13 09:48:05 IPSec-Router pluto[3831]: packet from 167.250.202.13:60344: sending notification PAYLOAD_MALFORMED to 167.250.202.13:60344
Aug 13 09:48:06 IPSec-Router pluto[3831]: packet from 167.250.202.13:19551: not enough room in input packet for ISAKMP Message

Hi,

it depends on how open your vpn gateway have to be. If you have connections from known peers you can set a local-firewall rule to the ipsec interface an prevent all ipsec traffic from unknown sources.

if you have connections from all over the world or dynamic IP addresses. It’s nearly impossible to do this with a stateful firewall. In this case an Intrusion prevention or detection system could be a choice. But this is also not a 100% protection.

VyOS itself don’t provide a IDS at the moment. I know there is something on the roadmap but without a timeline.