As the title suggest, there’s a device out there trying to establish a VPN tunnel. No policy exists for that IP/tunnel so logs show a VPN Warning IKE Responder : VPN Policy for gateway address not found every 30 seconds. I assumed that creating a Deny rule with the originating IP as the source and all services denied would block everything from that IP, but log keeps showing the IKE responder messages with the inevitable Payload processing failed message. Is there a way to block everything, including attempted VPN tunnels from a WAN IP?
When you created your deny rule, which zones were you creating it for?
It should work if you create a WAN > WAN deny (or discard) rule with the source as the offending IP, and the destination as your WAN public IP.
You can leave the service as Any or choose service IKE.
The initial IKE messages to create the tunnel are technically WAN to WAN, as is the SSLVPN traffic on port 4433. Only once the tunnel is established does traffic pass across to your LAN / other zones.
Edit: we have these rules in place to make sure tunnels are only allowed on one of our WAN connections. I’m unsure if it stops the messages in the log, but in theory it should as the rule would drop the traffic before it was passed to the VPN part of the SonicWall
I create an address object for each IP address that I want to block, then create an address group containing those blocked IP addresses.
From there I create a wan to lan firewall rule with the source objects being the blocked IP address group, the destination being my lan, the service being any, and the action being deny all.
This set up is based off of documentation provided by sonicwall, as well as assistance provided by sonicwall tech-support. I have also tested this configuration and have found that it works. The test consisted adding my public wan IP address from my office to the block list and then attempting to set up a VPN tunnel to the sonicwall, as well as attempting to run port skans of the sonicwall from the outside.
Assuming you’re using Site to Site VPN’s and not the global VPN client, then you can edit the default rules to accomplish this. When you enable IPSEC VPN’s, the Sonicwall will auto-create two IKE rules that show up as WAN to WAN. One will be From the WAN interface IP and the other To the WAN interface IP. You can change the source from Any to the public IP’s of your branch office (create a group if you have more than one VPN tunnel).
You may still see the attempts in the logs in some form, but it prevents your firewall from actually checking if the parameters are correct. Some PCI scanners will complain if IKE is open and this will prevent you from being flagged for that too.
I’d you’re using the Global VPN client, then you may have to use a deny rule, try specifying IKE in the rule instead of Any.
“Enable the ability to remove and fully edit auto-added access rules.”
https://www.sonicwall.com/support/knowledge-base/how-to-edit-or-delete-auto-added-access-rule-s-and-nat-policies/170502578285909/
Then just modify your policies for IKE, to only your WAN IPs instead of ‘Any’.
I‘ve been trying to achieve this for ages but haven’t found a solution. It bugs me so much. Firewall rules don’t help.
I’ll try WAN > WAN. I think I had set it up as WAN > VPN and didn’t see any counters in the rules log.
I think that did it. Looks like creating the same firewall rule but Zone WAN > WAN did the trick. It never occurred to me that the traffic is still technically on the WAN side. Thank you so much!
Worked like a champ! Thanks
I have the same setup to block other WAN traffic so I simply added the WAN IP to the group. It did not stop IKE traffic. Probably because it wasn’t hitting the LAN side yet.
Nice! Glad to have helped
What services are you blocking with that firewall rule? Is is set to any/all?
What’s the priority on it? Change to to 1.
Yea, always at the top/priority 1.
Hmmmm. Have you tried making a specific rule to block that service for that specific address object?