This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kb1
Collaborator
‎2020-08-13 11:18 AM

should i be worried about a key install to an unknown ip from the firewall?

So we had 2 vpn key installs that were successful from the same firewall to different ips (one from mongolia and one from china), should i be worried about that? because all i see in the logs are just the key installs so just 2 logs and no other logs, no exchange of information to those ips,etc. Do i have to investigate something else?

 

key1.PNG

That is how the log looks like, the other key install is also the same but with a different destination ip.

 

Thanks and Regards.

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2020-08-13 11:29 AM

You’ll notice it also says “No Proposal Chosen.”
Which means no key was actually installed.

This could be a configuration error on the remote end but I suppose it could also be a reconnaissance attempt by a remote party (portscan or similar).
Something to keep an eye on for sure.

0 Kudos
kb1
Collaborator
‎2020-08-13 11:33 AM
In response to PhoneBoy

thank you

0 Kudos
tavi0906
Contributor
‎2023-11-10 02:00 AM
In response to PhoneBoy

what does it mean " key install " ? 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-10 07:36 AM
In response to tavi0906

It's when symmetric encryption keys are (attempted to be) negotiated between VPN peers.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-08-13 03:25 PM

This has been brought up before at CheckMates, basically all UDP 500 traffic is allowed by the firewall and sent to the process vpnd on the gateway which is where all IKE negotiations occur.  You'll see random Internet IPs trying to start IKE negotiations with a "Key Install" log but they won't get anywhere since they are not a defined peer. 

IKEv1 Phase 1 does things in kind of a messed up order of operations by design which is not Check Point's fault.  IKEv1 Phase 1 performs the following three tasks in this order:

  • Agree on algorithms to form an SA
  • Compute a secret key with Diffie-Hellman
  • Authenticate the negotiating peers

The fact that lots of negotiation and a computationally expensive Diffie-Hellman calculation is performed before the peers even authenticate each other should raise alarm bells.  Because the peer has not been authenticated yet, it always possible they are hostile and trying to crash us with malformed or otherwise corrupt negotiations.  For that reason all IKE is handled in the vpnd process instead of the INSPECT/Firewall Worker which traditionally runs in the kernel.  If the vpnd process happens to crash, its parent process fwd simply respawns it immediately, no harm no foul.  However if IKE negotiations took place inside the kernel, a crash caused by the peer in there would cause the whole system to crash.  With the advent of USFW, it will be interesting to see if functions like this that are done for stability reasons in separate processes will end up getting integrated into the INSPECT/fwk/Firewall Worker when USFW is enabled.

IKEv2 resolves this design issue by authenticating the peers first before allowing any other operations.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
VenkateshM
Employee Alumnus
Employee Alumnus
‎2023-08-28 09:08 PM
In response to Timothy_Hall

Hello,

I am documenting Key Install referenced in Harmony Connect logs. Basically, this is one of the reasons for unsuccessful connection between the SD-WAN device and Harmony Connect Secure Web Gateway. Could anyone please explain in simple terms what Key Install is?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-29 07:01 AM
In response to VenkateshM

I believe it relates to when the IKE SAs are successfully negotiated between VPN peers (ie they have negotiated their symmetric key used for bulk encryption).

0 Kudos
doom
Explorer
‎2024-08-27 02:50 PM
In response to PhoneBoy

hello! could I ask you. how I can block all this unwanted "key installs" from particular ip addresses or networks or countries?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-27 03:11 PM
In response to doom

Yes, see: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695

0 Kudos
Lesley
Leader Leader
Leader
‎2024-08-28 11:50 AM
In response to doom

if you are not using implied rules you just can make a firewall rule. In this firewall rule block ESP (50) and Ike (500). And and make rule that allows the traffic from trused public IP's (remote VPN endpoints)

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events