An optional lockout mechanism can be enabled to block malicious clients and prevent them from using invalid credentials to consume system resources, as well as to prevent malicious users from guessing credentials such as a pre-shared key. This mechanism can be enabled by using the lockout command.
If the number of failed authentication attempts from a particular IPsec client exceeds a configured threshold during a specified time interval, the client is blocked for a configurable period of time. If a client is blocked, the system drops all IKE packets from the source IP address and port.
The following authentication failures are counted as failed authentication attempts:
IKEv1
psk: failed to verify the HASH_I payload in main mode
plain-psk-xauth:
failed to verify the HASH_I payload in main mode
RADIUS access-reject received
IKEv2
psk: failed to verify the AUTH payload in the auth-request packet
psk-radius:
failed to verify the AUTH payload in the auth-request packet
RADIUS access-reject received
cert:
failed to verify the AUTH payload in the auth-request packet
failed to verify the peer’s certification to configured trust-anchors
cert-radius:
failed to verify the AUTH payload in the auth-request packet
failed to verify the peer’s certification to configured trust-anchors
RADIUS access-reject received
eap: RADIUS access-reject received
Other failures, such as being unable to assign an address, are not counted.
The AUTH failure counter is reset by either a successful authentication before the client is blocked, the expiration of a block timer, or the expiration of the duration timer.
If multiple IPsec clients behind a NAT device share the same public IP address, a limit for the maximum number of clients or ports behind the same IP address can be configured. If the number of ports exceeds the configured limitation, all ports from that IP address are blocked.
The clear ipsec lockout command can also be used to manually clear a lockout state for the specified clients.