Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 28 replies
  • Subscribers 1 subscriber
  • Views 21067 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

US Dept of Defense integrated into L2TP VPN?

SalishSwede
My carrier, Sprint is using legacy DoD addresses for cell phone connections but there appears to be something wrong with the VPN functionality... see posts later in this thread.

I'm connecting my smartphone to my local home net using L2TP via the Sophos UTM.

I'm reviewing the firewall logs and notice traffic on port 443 being blocked between two addresses:  
Source:

21.194.27.36  Dept of Defense

Dest:

50.115.125.93   [URL="http://mxtoolbox.com/SuperTool.aspx?action=ptr%3a50.115.125.93&run=toolpage#"]50.115.125.93.static.westdc.net  ??
[/URL]

              69.171.245.49   Facebook

Here's what I can find on the source:
[SIZE=2]Location[/SIZE]                     [SIZE=2]  UNITED STATES, OHIO, COLUMBUS[/SIZE]                                                       [SIZE=2]Latitude, Longitude[/SIZE]                     [SIZE=2]39.96638, -83.01277 (39°57'59"S   -83°0'46"E)[/SIZE]                                                       [SIZE=2]Connection through[/SIZE]                     [SIZE=2]DOD NETWORK INFORMATION CENTER[/SIZE]                                                       [SIZE=2]Local Time[/SIZE]                     [SIZE=2]04 Dec, 2013 05:17 PM (UTC -05:00)[/SIZE]                                                       [SIZE=2]Domain[/SIZE]                     [SIZE=2]NIC.MIL[/SIZE]
Here are a couple of lines from the logs:

[FONT=monospace]14:08:16 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:19 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:19 Packet filter rule #6 L2TP 21.194.27.36 : 38247 → 69.171.245.49 : 443 [ACK PSH] len=130 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:26 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
 
Note the L2TP is the traffic being parsed. 

Could I get some fresh eyes on this?

Thanks,

Doug


This thread was automatically locked due to age.
Parents
  • 0
    Hi,

    1. please post entries from the full log, not the live log

    2. I'm assuming the 'l2tp' entry in the live log refers to the virtual interface, but I'm not certain.
    What is your firewall rule #6?

    3. can you double-check what is the IP of the phone's VPN client connection? Maybe it is using the 21.194.27.36 IP address for some reason.

    Barry
  • 0 in reply to BarryG
    1. Entries from the full log

    2013:12:04-14:08:16 ravenna ulogd[4818]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="6" initf="ppp1" outitf="ppp0" mark="0x3106" app="262" srcmac="0:0:2f[:D]2:32:f7" srcip="21.194.27.36" dstip="50.115.125.93" proto="6" length="40" tos="0x00" prec="0x00" ttl="63" srcport="39669" dstport="443" tcpflags="RST"  

    2013:12:04-14:08:19 ravenna ulogd[4818]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="6" initf="ppp1" outitf="ppp0" mark="0x3106" app="262" srcmac="0:0:2f[:D]2:32:f7" srcip="21.194.27.36" dstip="50.115.125.93" proto="6" length="40" tos="0x00" prec="0x00" ttl="63" srcport="39669" dstport="443" tcpflags="RST"  

    2013:12:04-14:08:19 ravenna ulogd[4818]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="6" initf="ppp1" outitf="ppp0" mark="0x3106" app="262" srcmac="0:0:2f[:D]2:32:f7" srcip="21.194.27.36" dstip="69.171.245.49" proto="6" length="130" tos="0x00" prec="0x00" ttl="63" srcport="38247" dstport="443" tcpflags="ACK PSH"  

    2013:12:04-14:08:26 ravenna ulogd[4818]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="6" initf="ppp1" outitf="ppp0" mark="0x3106" app="262" srcmac="0:0:2f[:D]2:32:f7" srcip="21.194.27.36" dstip="50.115.125.93" proto="6" length="40" tos="0x00" prec="0x00" ttl="63" srcport="39669" dstport="443" tcpflags="RST" 

    2a. Yes, I was thinking just that: that the L2TP referred to the v-interface.
    2b.  Firewall rule 6 was just a late night amusement I threw in a few weeks ago.
         I went to the IANA site and created a definition which includes all registered Dept. of Defense addresses (mostly class A networks)
         I then created a rule, dropping all traffic coming from those addresses.
         I had probably had a beer [breaking my rule of no alcohol while fiddling with firewalls] so I overlooked traffic coming from the DoD.

    3.  The phone's VPN IP is as follows per Web Admin
      username  FIRST LAST 10.242.3.2
  • 0 in reply to SalishSwede
    My oversight may have created the hook allowing the view to the traffic.
Reply Children
No Data