[Openswan Users] Are these intrusion attempts?
Nick Howitt
n1ck.h0w1tt at googlemail.com
Fri Jun 4 13:20:42 EDT 2010
Paul,
I don't know anything about any of the IP's and I've never noticed
anything in the logs before (not that I always look at them). I use a
pretty strong PSK so I believe I'm fairly safe, but I've blocked the
IP's in the firewall for the moment.
Unfortunately both my remote endpoints are on dynamic IP's so it I
cannot tie them down and Openswan does not play too well with FQDN's in
the ipec.secrets file. (If you use DPD to reload the conn when the IP
changes, the secrets are not re-read)
Regards,
Nick
On 04/06/2010 16:22, Paul Wouters wrote:
> On Thu, 3 Jun 2010, Nick Howitt wrote:
>
>> I've just noticed all these messages in my /var/log/secure:
>
>> May 31 02:05:18 server pluto[17050]: packet from 76.104.163.12:500:
>> ignoring Vendor ID payload [MS-MamieExists]
>
> Do you know that IP from anything? I assume not?
>
>> May 31 02:05:18 server pluto[17050]: packet from 76.104.163.12:500:
>> af+type of ISAKMP Oakley attribute has an unknown value:
>> 16384
>> May 31 02:05:18 server pluto[17050]: packet from 76.104.163.12:500:
>> next payload type of ISAKMP Message has an unknown value:
>> 133
>
> ISAKMP Oakley attribute 16384 is reserved for private use. It might be
> a custom implementation, a test implementation,
> or a bug.
>
> It seems unlikely this is an attack, but it could be possible I guess.
> IKE is very hard to attack as it starts out doing
> crypto. The pluto daemon tries extremely hard to verify data
> structures and discards packets that fail the RFC specs.
>
> Paul
More information about the Users
mailing list