gn.gov.ie on my firewall

zom

I have Zywall firewall installed recently and I just managed to record and analyse its logs. It is low traffic small business connection working office hours with small AD environment. I found in logs quite intensive communication between firewall and one of gn.gov.ie IPs and seems like it is trying unsuccessfuly establish VPN IPSec connection every few minutes. I don't have any IPSec VPV connection set in settings. I really dont know what it is and if I should start to worry about it ?

Alcoheda

post the logs

gctest50

zom wrote: »

I have Zywall firewall installed recently and I just managed to record and analyse its logs. It is low traffic small business connection working office hours with small AD environment. I found in logs quite intensive communication between firewall and one of gn.gov.ie IPs and seems like it is trying unsuccessfuly establish VPN IPSec connection every few minutes. I don't have any IPSec VPV connection set in settings. I really dont know what it is and if I should start to worry about it ?

Small chance that your Zywall has been violated

If it has dodgy firmware uploaded to it, it will write anything they want in it's logs

- (something).gov.ie was a reasonable guess by them, looks a bit less suspect than candycrush.com

Don't unplug it and reflash it - you'll never know what it was - get a passive tap and put it between the Zywall and it's source of internets.

zom

I'm not sure how much I can share but it is more or less:

From gn.gov.ie:
- Recv Main Mode request from [...ip...]
- The cookie pair is : .........
- Recv:[SA][VID][VID]


then from my Ip (Zywall):
- The cookie pair is : ..........
- [SA] : Tunnel [IPSEC_VPN_CONNECTION] Phase 1 proposal mismatch
- The cookie pair is : ..........
- [SA] : No proposal chosen
- The cookie pair is : ..........
- Send:[NOTIFY:NO_PROPOSAL_CHOSEN]

and so on every minute. I have logs like week back, and it seems to be there all the time. Wonder what gn.gov.ie addresses are - any idea ?

GreenFolder2

If that traffic is genuinely originating from the Government Network a likely source is a PC or other device that's infected with malware.

If it's originating from your router is possible you've malware trying to partake in a DDoS attack too.

Is it running the original firmware? You didn't flash it with anything from any unofficial source?

Is the connection being fired up from your router? Or is it the gov.ie address attempting to initiate a connection to you?

There's nothing configured on your router to do remote access or send log dumps that might be set to an IP address owned by gov.ie accidentally?

If you're clear it's coming from the state system, it might be worth alerting their IT unit that they've got a potential malware issue!

zom

This is Virgin / UPC fiber broadband on some old CISCO router. I have no access to it and can't tell anything bout it.
There is not much more in Zywall logs but category is: ike (IKE_LOG).
I think I will try to block external connections from that IP (only one) so presumably it should indicate if that's really external or just firewall bug. It is damn hard to figure out new Zywall interface but I'll try.

Sorry for bothering you here, just thought maybe someone got the same issue and recognise the problem.

GreenFolder2

I'd say it's just a PC with an infection on their side. AFAIK that's just the general state communications network - it would have a very large number of users in umpteen departments.

The state isn't very likely to be hacking your cable router tbh. It's not exactly known for its investment in cyber warfare... More likely a wonky PC in some random office.

Maybe Google a help desk contact and report the traffic so they can fix the issue.

Graham

Maybe your IP address used to belong to the other end of a legit VPN connection.

GreenFolder2

Graham wrote: »

Maybe your IP address used to belong to the other end of a legit VPN connection.

Not very likely if it's a consumer ISP as they're assigned dynamically and could even be shared behind a NAT.

zom

I added rule to firewall and let it log for a moment to see how it's doing.
All IPSec nagging is gone, now it is only ACCESS BLOCK for "from WAN to ZyWALL, UDP, service others, DROP" on government IP.
Not sure if I will bother to explore it anymore, but I am still interested what you think about it?

Graham

GreenFolder2 wrote: »

Not very likely if it's a consumer ISP as they're assigned dynamically and could even be shared behind a NAT.

OP mentioned a business connection, firewall is usually at the border before NAT.

testicles

This post has been deleted.

amovingstatue

testicles wrote: »

This post has been deleted.

Indeed. Maybe, just maybe the last person who had the dynamic IP allocated to their home internet connection now allocated to the OP's, was an employee in some gov department who had setup vpn negotiation to their home for some data transfer reason requiring a secure connection......

GreenFolder2

testicles wrote: »

IP ranges change purpose and hands you know?

Yes, of course I know ... !?!

However, UPC and Virgin have had those ranges for years. It would just seem a bit odd to have a state computer attempting to make VPN connections to a range of addresses that's normally used for consumer grade and small business cable modems and where they're usually dynamic.

It's likely either malware or some irregular use like someone using a state machine to access their home security cameras or something like that. Maybe connecting to their home PC as a remote desktop.

I can't think of many normal circumstances where you'd be connecting FROM a big corporate system TO a remote PC on a home network and residential style ISP.

Usually it's the other way around where someone is dialling in from home.

If it's an on going issue, report it to the owner of the network. It could be a security issue on their end.

liamo

I'd be inclined to think that it's not malware.
Realistically, what malware is going to try to establish a IPSec VPN?

The most likely explanation is that this is an old, and possibly forgotten or perhaps a current but poorly configured VPN.

I'd report it to the network owner. Regardless of the reason behind this traffic, I imagine the SysAdmin(s) would be interested to hear about it.

ED E

GreenFolder2 wrote: »

Not very likely if it's a consumer ISP as they're assigned dynamically and could even be shared behind a NAT.

GreenFolder2 wrote: »

Yes, of course I know ... !?!

However, UPC and Virgin have had those ranges for years. It would just seem a bit odd to have a state computer attempting to make VPN connections to a range of addresses that's normally used for consumer grade and small business cable modems and where they're usually dynamic.

It's likely either malware or some irregular use like someone using a state machine to access their home security cameras or something like that. Maybe connecting to their home PC as a remote desktop.

I can't think of many normal circumstances where you'd be connecting FROM a big corporate system TO a remote PC on a home network and residential style ISP.

Usually it's the other way around where someone is dialling in from home.

If it's an on going issue, report it to the owner of the network. It could be a security issue on their end.

Liberty have had to expand their Irish blocks several times in the last 24 months. Its totally feasible that in the moves a static block got moved into the SME/Consumer pools/