Meraki Community

Non-Meraki / Client VPN entries in event log

Hi,

I keep seeing these entries in the event log every few minutes they are always from a 6.1.0.xxx IP address is there a way to stop them?

Oct 18 08:46:15		Non-Meraki / Client VPN negotiation	msg: IPsec-SA established: ESP/Transport XXX.XXX.XXX.XXX[4500]->6.1.0.20[4500] spi=4228925356(0xfc01056c)
Oct 18 08:46:15		Non-Meraki / Client VPN negotiation	msg: IPsec-SA established: ESP/Transport XXX.XXX.XXX.XXX[4500]->6.1.0.20[4500] spi=30026116(0x1cb3af4)
Oct 18 08:46:15		Non-Meraki / Client VPN negotiation	msg: not matched

3 Replies 3

It means that the remote party [most likely] has a site to site VPN mis-configured to your IP address. In this case, unless you know who the remote party is you wont be able to do anything about it.

The next possibility [very unlikely] is that you are being attacked and they are trying to break the IKEv1 pre-shared key.

I assume you don't have any non-Meraki VPN's configured to such an IP address ...

No we don’t have a remote sites using site to site VPN and do not recognise the IP’s.

We only use Client VPN at the moment, is there any way of blocking those IP’s completely?

No, there is no way to block those IPs. Don't don't need to worry about them. They aren't getting anywhere. You are only aware of them because the MX has told you that their connection attempt was blocked.

Welcome to the Meraki Community!

To start contributing, simply with your Cisco account. If you don't yet have a Cisco account, you can .

Labels

3rd Party VPN 141
ACLs 90
Auto VPN 265
AWS 34
Azure 62
Client VPN 385
Firewall 478
Other 507