This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

US Dept of Defense integrated into L2TP VPN?

My carrier, Sprint is using legacy DoD addresses for cell phone connections but there appears to be something wrong with the VPN functionality... see posts later in this thread.

I'm connecting my smartphone to my local home net using L2TP via the Sophos UTM.

I'm reviewing the firewall logs and notice traffic on port 443 being blocked between two addresses:
Source:

21.194.27.36 Dept of Defense

Dest:

50.115.125.93 [URL="http://mxtoolbox.com/SuperTool.aspx?action=ptr%3a50.115.125.93&run=toolpage#"]50.115.125.93.static.westdc.net ??
[/URL]

69.171.245.49 Facebook

Here's what I can find on the source:
[SIZE=2]Location[/SIZE] [SIZE=2]

UNITED STATES, OHIO, COLUMBUS[/SIZE] [SIZE=2]Latitude, Longitude[/SIZE] [SIZE=2]39.96638, -83.01277 (39°57'59"S -83°0'46"E)[/SIZE] [SIZE=2]Connection through[/SIZE] [SIZE=2]DOD NETWORK INFORMATION CENTER[/SIZE] [SIZE=2]Local Time[/SIZE] [SIZE=2]04 Dec, 2013 05:17 PM (UTC -05:00)[/SIZE] [SIZE=2]Domain[/SIZE] [SIZE=2]NIC.MIL[/SIZE]
Here are a couple of lines from the logs:


[FONT=monospace]14:08:16 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:19 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:19 Packet filter rule #6 L2TP 21.194.27.36 : 38247 → 69.171.245.49 : 443 [ACK PSH] len=130 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:26 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]

Note the L2TP is the traffic being parsed.

Could I get some fresh eyes on this?

Thanks,

Doug

This thread was automatically locked due to age.

Parents

0 BarryG over 11 years ago

Hi,

1. please post entries from the full log, not the live log

2. I'm assuming the 'l2tp' entry in the live log refers to the virtual interface, but I'm not certain.
What is your firewall rule #6?

3. can you double-check what is the IP of the phone's VPN client connection? Maybe it is using the 21.194.27.36 IP address for some reason.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

0 SalishSwede over 11 years ago in reply to BarryG

1. Entries from the full log


2013:12:04-14:08:16 ravenna ulogd[4818]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="6" initf="ppp1" outitf="ppp0" mark="0x3106" app="262" srcmac="0:0:2f[:D]2:32:f7" srcip="21.194.27.36" dstip="50.115.125.93" proto="6" length="40" tos="0x00" prec="0x00" ttl="63" srcport="39669" dstport="443" tcpflags="RST"  

2013:12:04-14:08:19 ravenna ulogd[4818]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="6" initf="ppp1" outitf="ppp0" mark="0x3106" app="262" srcmac="0:0:2f[:D]2:32:f7" srcip="21.194.27.36" dstip="50.115.125.93" proto="6" length="40" tos="0x00" prec="0x00" ttl="63" srcport="39669" dstport="443" tcpflags="RST"  

2013:12:04-14:08:19 ravenna ulogd[4818]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="6" initf="ppp1" outitf="ppp0" mark="0x3106" app="262" srcmac="0:0:2f[:D]2:32:f7" srcip="21.194.27.36" dstip="69.171.245.49" proto="6" length="130" tos="0x00" prec="0x00" ttl="63" srcport="38247" dstport="443" tcpflags="ACK PSH"  

2013:12:04-14:08:26 ravenna ulogd[4818]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="6" initf="ppp1" outitf="ppp0" mark="0x3106" app="262" srcmac="0:0:2f[:D]2:32:f7" srcip="21.194.27.36" dstip="50.115.125.93" proto="6" length="40" tos="0x00" prec="0x00" ttl="63" srcport="39669" dstport="443" tcpflags="RST"

2a. Yes, I was thinking just that: that the L2TP referred to the v-interface.
2b.  Firewall rule 6 was just a late night amusement I threw in a few weeks ago.
     I went to the IANA site and created a definition which includes all registered Dept. of Defense addresses (mostly class A networks)
     I then created a rule, dropping all traffic coming from those addresses.
     I had probably had a beer [breaking my rule of no alcohol while fiddling with firewalls] so I overlooked traffic coming from the DoD.

3.  The phone's VPN IP is as follows per Web Admin
  username  FIRST LAST 10.242.3.2

Reply

0 SalishSwede over 11 years ago in reply to BarryG

1. Entries from the full log


2013:12:04-14:08:16 ravenna ulogd[4818]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="6" initf="ppp1" outitf="ppp0" mark="0x3106" app="262" srcmac="0:0:2f[:D]2:32:f7" srcip="21.194.27.36" dstip="50.115.125.93" proto="6" length="40" tos="0x00" prec="0x00" ttl="63" srcport="39669" dstport="443" tcpflags="RST"  

2013:12:04-14:08:19 ravenna ulogd[4818]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="6" initf="ppp1" outitf="ppp0" mark="0x3106" app="262" srcmac="0:0:2f[:D]2:32:f7" srcip="21.194.27.36" dstip="50.115.125.93" proto="6" length="40" tos="0x00" prec="0x00" ttl="63" srcport="39669" dstport="443" tcpflags="RST"  

2013:12:04-14:08:19 ravenna ulogd[4818]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="6" initf="ppp1" outitf="ppp0" mark="0x3106" app="262" srcmac="0:0:2f[:D]2:32:f7" srcip="21.194.27.36" dstip="69.171.245.49" proto="6" length="130" tos="0x00" prec="0x00" ttl="63" srcport="38247" dstport="443" tcpflags="ACK PSH"  

2013:12:04-14:08:26 ravenna ulogd[4818]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="6" initf="ppp1" outitf="ppp0" mark="0x3106" app="262" srcmac="0:0:2f[:D]2:32:f7" srcip="21.194.27.36" dstip="50.115.125.93" proto="6" length="40" tos="0x00" prec="0x00" ttl="63" srcport="39669" dstport="443" tcpflags="RST"

Children

0 SalishSwede over 11 years ago in reply to SalishSwede

My oversight may have created the hook allowing the view to the traffic.
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 11 years ago in reply to SalishSwede

I'm very curious if you can recreate this. This may be a global infiltration of a more vulnerable VPN protocol. In which case, Sophos should remove support for this protocol (unless Sophos is in bed with the DoD, of course).
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 11 years ago in reply to SalishSwede

I've attached screenshots of the rule blocking DoD traffic.
Anyone can recreate exactly what I've done to see if they can see similar traffic.
Please post to this thread any results positive or negative.

Instructions:
1. Create a network group and add all DOD-related address spaces per attached images.  [better to recreate exactly what I've done]
Note: This is the source of my rule-set:
IANA IPv4 Address Space Registry
2. Create a firewall rule dropping all traffic going TO [not from] this network group.  Make sure to log traffic as part of the rule.
    Note: It's possible that the failure to drop traffic from is what allows the firewall to see any of the traffic at all.
3. Setup an L2TP interface under Remote Access
4. Setup an L2TP connection on a smartphone.  I am using a CyanogenMod derrivative of Android.  It's possible that CyanogenMod is the source of the trouble [possible infiltration?].
5. If you're local to your UTM and on wifi, turn off Wifi so you're using your phone company for internet access to your smartphone.
6. Connect your smartphone via L2TP
6a. To troubleshoot L2TP connections see the UTM log titled "IPSec VPN"
7. Watch the firewall logs for hits on the new Department of Defense rule.

DOD1.png

DOD2.png

DOD_Addresses.png
- DOD1.png
- View
- Hide
Cancel
Vote Up 0 Vote Down

Cancel