nanog mailing list archives

Strange IPSEC traffic

From: Shawn L via NANOG <nanog () nanog org>
Date: Mon, 13 Nov 2023 12:10:03 -0500 (EST)


Is anyone else seeing a lot of 'strange' IPSEC traffic?  We started seeing logs of IPSEC with invalid spi on Friday.  
We're seeing it on pretty much all of our PE routers, none of which are setup to do anything VPN related.  Most are 
just routing local customer traffic.
 
decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.X.X, prot=50, spi=0x9D2D0000(2636972032), 
srcaddr=211.112.195.167, input interface=TenGigabitEthernet0/0/11
 
decaps: rec'd IPSEC packet has invalid spi for destaddr=Y.Y.Y.Y, prot=50, spi=0x14690000(342425600), 
srcaddr=74.116.56.244, input interface=TenGigabitEthernet0/0/5
 
The destination address is always one of our customer's ip addresses.  The source seems to be all over the place, 
mostly Russia, Korea, China or south east asia.  It's not really impacting anything at the moment, just rather annoying.
 
Thanks
 
Shawn

Current thread:

Strange IPSEC traffic Shawn L via NANOG (Nov 13)
- Re: Strange IPSEC traffic Adrian Minta (Nov 13)
  - Re: Strange IPSEC traffic Maurice Brown (Nov 13)
    - Re: Strange IPSEC traffic Sabri Berisha (Nov 13)
  - Re: Strange IPSEC traffic Tom Beecher (Nov 14)
- RE: Strange IPSEC traffic Mike Lewinski via NANOG (Nov 13)
- Re: Strange IPSEC traffic Dobbins, Roland via NANOG (Nov 13)
- Re: Strange IPSEC traffic Niels Bakker (Nov 14)