During recent investigation of the router’s log file, I’ve spotted unusual behavior when one of the clients was trying connect using port 1030 and 1032 instead of 4500 for NAT Traversal.
VPN is set up with IKEv2 keys exchange on port 500 and IPSec NAT-T encapsulation on port 4500.
While this kind of issue never happened before, it seem that this change happened on a client endpoint or somewhere in-transit to client router.
This peer was authorized by VPN router and then killed 30 secs later (probably because it wasn’t able to transmit data over interface – Tx bytes were = 0 while there were some Rx packets).
At this point I’ve recommended to scan every machine in their network to see if they may have some kind of trojan/worm on their computers.
My question is how to prevent this kind of attack.