This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

US Dept of Defense integrated into L2TP VPN?

My carrier, Sprint is using legacy DoD addresses for cell phone connections but there appears to be something wrong with the VPN functionality... see posts later in this thread.

I'm connecting my smartphone to my local home net using L2TP via the Sophos UTM.

I'm reviewing the firewall logs and notice traffic on port 443 being blocked between two addresses:
Source:

21.194.27.36 Dept of Defense

Dest:

50.115.125.93 [URL="http://mxtoolbox.com/SuperTool.aspx?action=ptr%3a50.115.125.93&run=toolpage#"]50.115.125.93.static.westdc.net ??
[/URL]

69.171.245.49 Facebook

Here's what I can find on the source:
[SIZE=2]Location[/SIZE] [SIZE=2]

UNITED STATES, OHIO, COLUMBUS[/SIZE] [SIZE=2]Latitude, Longitude[/SIZE] [SIZE=2]39.96638, -83.01277 (39°57'59"S -83°0'46"E)[/SIZE] [SIZE=2]Connection through[/SIZE] [SIZE=2]DOD NETWORK INFORMATION CENTER[/SIZE] [SIZE=2]Local Time[/SIZE] [SIZE=2]04 Dec, 2013 05:17 PM (UTC -05:00)[/SIZE] [SIZE=2]Domain[/SIZE] [SIZE=2]NIC.MIL[/SIZE]
Here are a couple of lines from the logs:


[FONT=monospace]14:08:16 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:19 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:19 Packet filter rule #6 L2TP 21.194.27.36 : 38247 → 69.171.245.49 : 443 [ACK PSH] len=130 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:26 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]

Note the L2TP is the traffic being parsed.

Could I get some fresh eyes on this?

Thanks,

Doug

This thread was automatically locked due to age.

Parents

0 BarryG over 11 years ago

Hi,

initf="ppp1" outitf="ppp0"

1. Is ppp1 your L2TP VPN, and is ppp0 a PPPoE DSL Internet connection?

2. do you have WiFi Tethering or anything like that enabled on the phone?
If so, what IP addresses is it handing out?

3. try running
route -n
on the UTM while the phone is connected to the VPN

4. try a traceroute to that IP address while the phone is connected and disconnected

If I'm backwards about #1 above, then it's possible your http proxy in the UTM is listening on the internet interface. Double-check it and the SOCKS proxy and the Generic Proxy and all your NATs.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 11 years ago

Hi,

initf="ppp1" outitf="ppp0"

1. Is ppp1 your L2TP VPN, and is ppp0 a PPPoE DSL Internet connection?

2. do you have WiFi Tethering or anything like that enabled on the phone?
If so, what IP addresses is it handing out?

3. try running
route -n
on the UTM while the phone is connected to the VPN

4. try a traceroute to that IP address while the phone is connected and disconnected

If I'm backwards about #1 above, then it's possible your http proxy in the UTM is listening on the internet interface. Double-check it and the SOCKS proxy and the Generic Proxy and all your NATs.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 SalishSwede over 11 years ago in reply to BarryG

>>Hi,

>>initf="ppp1" outitf="ppp0"

>>1. Is ppp1 your L2TP VPN, and is ppp0 a PPPoE DSL Internet connection?

Yes and Yes.
Here's the routing table:

[note: public ip addresses changed for security reasons]
[a.b.c.d & w.x.y.z are used instead of real addresses]


default via a.b.c.d dev ppp0  table 200  proto kernel onlink
local default dev lo  table 252  scope host  
default via a.b.c.d dev ppp0  table default  proto kernel  metric 20 onlink
10.1.0.0/16 dev eth0  proto kernel  scope link  src 10.1.1.2  
10.3.0.0/16 dev eth4  proto kernel  scope link  src 10.3.0.1  
10.242.3.2 dev ppp1  proto kernel  scope link  src 10.242.3.1  
w.x.y.z dev ppp0  proto kernel  scope link  src a.b.c.d  [changed for privacy]  
127.0.0.0/8 dev lo  scope link  
172.16.0.0/12 dev eth3  proto kernel  scope link  src 172.16.0.1  
broadcast 10.1.0.0 dev eth0  table local  proto kernel  scope link  src 10.1.1.2  
local 10.1.1.2 dev eth0  table local  proto kernel  scope host  src 10.1.1.2  
broadcast 10.1.255.255 dev eth0  table local  proto kernel  scope link  src 10.1.1.2
  broadcast 10.3.0.0 dev eth4  table local  proto kernel  scope link  src 10.3.0.1
  local 10.3.0.1 dev eth4  table local  proto kernel  scope host  src 10.3.0.1
  broadcast 10.3.255.255 dev eth4  table local  proto kernel  scope link  src 10.3.0.1
  local 10.242.3.1 dev ppp1  table local  proto kernel  scope host  src 10.242.3.1  
local w.x.y.z dev ppp0  table local  proto kernel  scope host  src a.b.c.d
 broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
 local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1  
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1  
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
 broadcast 172.16.0.0 dev eth3  table local  proto kernel  scope link  src 172.16.0.1 
 local 172.16.0.1 dev eth3  table local  proto kernel  scope host  src 172.16.0.1 
 broadcast 172.31.255.255 dev eth3  table local  proto kernel  scope link  src 172.16.0.1  
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
 unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
 local ::1 via :: dev lo  table local  proto none  metric 0  
unreachable default dev lo  table unspec  proto kernel  metric 4294967295 error-101

>>2. do you have WiFi Tethering or anything like that enabled on the phone?
>>If so, what IP addresses is it handing out?

There is no wifi tethering enabled. I have a standard connection to the phone company and a L2TP VPN enabled.

>>3. try running route -n on the UTM while the phone is connected to the VPN
Results:

ravenna:/home/login # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.0.0        0.0.0.0         255.255.0.0     U     0      0        0 eth0
10.3.0.0        0.0.0.0         255.255.0.0     U     0      0        0 eth4
10.242.3.2      0.0.0.0         255.255.255.255 UH    0      0        0 ppp1
w.x.y.z[pravacy!]          0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
172.16.0.0      0.0.0.0         255.240.0.0     U     0      0        0 eth3

>>4. try a traceroute to that IP address while the phone is connected and disconnected

Connected:

traceroute to 10.242.3.2 (10.242.3.2), 30 hops max, 40 byte packets using UDP
 1  10.242.3.2 (10.242.3.2)  104.791 ms   133.877 ms   138.922 ms

Disconnected:

ravenna:/home/login # traceroute 10.242.3.2
traceroute to 10.242.3.2 (10.242.3.2), 30 hops max, 40 byte packets using UDP
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *

Given this address is a non-routable public address, shouldn't this have failed?

>>If I'm backwards about #1 above, then it's possible your http proxy in the UTM is >>listening on the internet interface. Double-check it and the SOCKS proxy and the >>Generic Proxy and all your NATs.

Socks proxy is off. Checking Web Protection > Web Filtering > Global > Allowed Networks, I have the following allowed:
Corporate Network
Internal Network [my primary net]
The VPN pools had a firewall rule allowing outbound traffic... I'm changing this.