Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 28 replies
  • Subscribers 1 subscriber
  • Views 21067 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

US Dept of Defense integrated into L2TP VPN?

SalishSwede
My carrier, Sprint is using legacy DoD addresses for cell phone connections but there appears to be something wrong with the VPN functionality... see posts later in this thread.

I'm connecting my smartphone to my local home net using L2TP via the Sophos UTM.

I'm reviewing the firewall logs and notice traffic on port 443 being blocked between two addresses:  
Source:

21.194.27.36  Dept of Defense

Dest:

50.115.125.93   [URL="http://mxtoolbox.com/SuperTool.aspx?action=ptr%3a50.115.125.93&run=toolpage#"]50.115.125.93.static.westdc.net  ??
[/URL]

              69.171.245.49   Facebook

Here's what I can find on the source:
[SIZE=2]Location[/SIZE]                     [SIZE=2]  UNITED STATES, OHIO, COLUMBUS[/SIZE]                                                       [SIZE=2]Latitude, Longitude[/SIZE]                     [SIZE=2]39.96638, -83.01277 (39°57'59"S   -83°0'46"E)[/SIZE]                                                       [SIZE=2]Connection through[/SIZE]                     [SIZE=2]DOD NETWORK INFORMATION CENTER[/SIZE]                                                       [SIZE=2]Local Time[/SIZE]                     [SIZE=2]04 Dec, 2013 05:17 PM (UTC -05:00)[/SIZE]                                                       [SIZE=2]Domain[/SIZE]                     [SIZE=2]NIC.MIL[/SIZE]
Here are a couple of lines from the logs:

[FONT=monospace]14:08:16 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:19 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:19 Packet filter rule #6 L2TP 21.194.27.36 : 38247 → 69.171.245.49 : 443 [ACK PSH] len=130 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:26 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
 
Note the L2TP is the traffic being parsed. 

Could I get some fresh eyes on this?

Thanks,

Doug


This thread was automatically locked due to age.
Parents
  • 0
    Hi,
    The MAC address in the logs is registered to TimePlex Inc. 
    MAC_Find: Search results for "00:00:2f[:D]2:32:f7" (Vendor/Ethernet/Bluetooth MAC Address Lookup and Search)

    Is that your modem/router or phone or one of the UTM's NICs or something else?

    Barry
  • 0 in reply to BarryG
    Here's the interface table of the UTM  hint: it's not in there.

    1: lo:  mtu 65536 qdisc noqueue state UNKNOWN      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00     inet 127.0.0.1/8 scope host lo     inet6 ::1/128 scope host         valid_lft forever preferred_lft forever 
    2: eth0:  mtu 1500 qdisc hfsc state UNKNOWN qlen 1000     link/ether 00:0c:29:f2:87:19 brd ff:ff:ff:ff:ff:ff     inet 10.1.1.2/16 brd 10.1.255.255 scope global eth0 
    3: eth1:  mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000     link/ether 00:0c:29:f2:87:23 brd ff:ff:ff:ff:ff:ff 
    4: eth2:  mtu 1500 qdisc noop state DOWN qlen 1000     link/ether 00:0c:29:f2:87:2d brd ff:ff:ff:ff:ff:ff 
    5: eth3:  mtu 1500 qdisc pfifo_fast state UP qlen 1000     link/ether 00:0c:29:f2:87:37 brd ff:ff:ff:ff:ff:ff     inet 172.16.0.1/12 brd 172.31.255.255 scope global eth3 
    6: eth4:  mtu 1500 qdisc pfifo_fast state UP qlen 1000     link/ether 00:0c:29:f2:87:41 brd ff:ff:ff:ff:ff:ff     inet 10.3.0.1/16 brd 10.3.255.255 scope global eth4 
    13: ppp0:  mtu 1492 qdisc hfsc state UNKNOWN qlen 3     link/ppp      inet 71.212.26.3 peer 63.231.10.254/32 scope global ppp0 15: ifb0:  mtu 1500 qdisc tbf state UNKNOWN qlen 32     link/ether 5a:63:63:0a:94:9c brd ff:ff:ff:ff:ff:ff 
     
     
     
     
    There are no current dynamic DHCP leases.
    This MAC is not found in the static address table.
    Since this is a MAC address from a device from a DoD address, I wouldn't expect it to be found locally but I have done the due-diligence anyway.

    From the Timeplex web site:
    [SIZE=2]As TimePlex, we provide
    [/SIZE]

    • [FONT=Arial][SIZE=2]Networking Products -- [/SIZE][/FONT][FONT=Arial][SIZE=1]you can count on[/SIZE][/FONT][FONT=Arial][SIZE=1]
      [/SIZE][/FONT]



    • [FONT=Arial][SIZE=2]ATM (
    [/SIZE][/FONT][FONT=Arial][SIZE=2]Timeplex [/SIZE][/FONT][FONT=Arial][SIZE=2]Cell Exchange)[/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]
    • [FONT=Arial][SIZE=2]TDM and compressed voice products (
    [/SIZE][/FONT][FONT=Arial][SIZE=2]Timeplex [/SIZE][/FONT][FONT=Arial][SIZE=2]Link/2 
    [/SIZE][/FONT][FONT=Arial][SIZE=2]and [/SIZE][/FONT][FONT=Arial][SIZE=2]Timeplex [/SIZE][/FONT][FONT=Arial][SIZE=2]Synchrony ST-[/SIZE][/FONT][FONT=Arial][SIZE=2]1000)[/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]
    • [FONT=Arial][SIZE=2]Frame Relay including VoFR (Synchrony ST-1000)
    [/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]
    • [FONT=Arial][SIZE=2]Network Management (TimeView and SNMS)
    [/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]



    • [FONT=Arial][SIZE=2]Services -- [/SIZE][/FONT][FONT=Arial][SIZE=1]we care [/SIZE][/FONT][FONT=Arial][SIZE=1]for [/SIZE][/FONT][FONT=Arial][SIZE=1]your business[/SIZE][/FONT][FONT=Arial][SIZE=1]
      [/SIZE][/FONT]



    • [FONT=Arial][SIZE=2]Maintenance contract
    [/SIZE][/FONT][FONT=Arial][SIZE=2]s[/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]
    • [FONT=Arial][SIZE=2]Repairing 
    [/SIZE][/FONT][FONT=Arial][SIZE=2]Timeplex products[/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]
    • [FONT=Arial][SIZE=2]Migrat
    [/SIZE][/FONT][FONT=Arial][SIZE=2]ing[/SIZE][/FONT][FONT=Arial][SIZE=2] network[/SIZE][/FONT][FONT=Arial][SIZE=2]s[/SIZE][/FONT][FONT=Arial][SIZE=2] into ATM for all your customized 
    [/SIZE][/FONT][FONT=Arial][SIZE=2]networking requirements[/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]
    • [FONT=Arial][SIZE=2]Training courses for Timeplex products
    [/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]



    • [FONT=Arial][SIZE=2]Manufacturing -- [/SIZE][/FONT][FONT=Arial][SIZE=1]proud [/SIZE][/FONT][FONT=Arial][SIZE=1]to be [/SIZE][/FONT][FONT=Arial][SIZE=1]made in U.S.A.[/SIZE][/FONT][FONT=Arial][SIZE=1]
      [/SIZE][/FONT]



    • [FONT=Arial][SIZE=2]Providing contract manufacturing with high quality and 
    [/SIZE][/FONT][FONT=Arial][SIZE=2]satisfaction[/SIZE][/FONT]

    [SIZE=2][FONT=Arial]
    [/FONT][/SIZE]
Reply
  • 0 in reply to BarryG
    Here's the interface table of the UTM  hint: it's not in there.

    1: lo:  mtu 65536 qdisc noqueue state UNKNOWN      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00     inet 127.0.0.1/8 scope host lo     inet6 ::1/128 scope host         valid_lft forever preferred_lft forever 
    2: eth0:  mtu 1500 qdisc hfsc state UNKNOWN qlen 1000     link/ether 00:0c:29:f2:87:19 brd ff:ff:ff:ff:ff:ff     inet 10.1.1.2/16 brd 10.1.255.255 scope global eth0 
    3: eth1:  mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000     link/ether 00:0c:29:f2:87:23 brd ff:ff:ff:ff:ff:ff 
    4: eth2:  mtu 1500 qdisc noop state DOWN qlen 1000     link/ether 00:0c:29:f2:87:2d brd ff:ff:ff:ff:ff:ff 
    5: eth3:  mtu 1500 qdisc pfifo_fast state UP qlen 1000     link/ether 00:0c:29:f2:87:37 brd ff:ff:ff:ff:ff:ff     inet 172.16.0.1/12 brd 172.31.255.255 scope global eth3 
    6: eth4:  mtu 1500 qdisc pfifo_fast state UP qlen 1000     link/ether 00:0c:29:f2:87:41 brd ff:ff:ff:ff:ff:ff     inet 10.3.0.1/16 brd 10.3.255.255 scope global eth4 
    13: ppp0:  mtu 1492 qdisc hfsc state UNKNOWN qlen 3     link/ppp      inet 71.212.26.3 peer 63.231.10.254/32 scope global ppp0 15: ifb0:  mtu 1500 qdisc tbf state UNKNOWN qlen 32     link/ether 5a:63:63:0a:94:9c brd ff:ff:ff:ff:ff:ff 
     
     
     
     
    There are no current dynamic DHCP leases.
    This MAC is not found in the static address table.
    Since this is a MAC address from a device from a DoD address, I wouldn't expect it to be found locally but I have done the due-diligence anyway.

    From the Timeplex web site:
    [SIZE=2]As TimePlex, we provide
    [/SIZE]

    • [FONT=Arial][SIZE=2]Networking Products -- [/SIZE][/FONT][FONT=Arial][SIZE=1]you can count on[/SIZE][/FONT][FONT=Arial][SIZE=1]
      [/SIZE][/FONT]



    • [FONT=Arial][SIZE=2]ATM (
    [/SIZE][/FONT][FONT=Arial][SIZE=2]Timeplex [/SIZE][/FONT][FONT=Arial][SIZE=2]Cell Exchange)[/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]
    • [FONT=Arial][SIZE=2]TDM and compressed voice products (
    [/SIZE][/FONT][FONT=Arial][SIZE=2]Timeplex [/SIZE][/FONT][FONT=Arial][SIZE=2]Link/2 
    [/SIZE][/FONT][FONT=Arial][SIZE=2]and [/SIZE][/FONT][FONT=Arial][SIZE=2]Timeplex [/SIZE][/FONT][FONT=Arial][SIZE=2]Synchrony ST-[/SIZE][/FONT][FONT=Arial][SIZE=2]1000)[/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]
    • [FONT=Arial][SIZE=2]Frame Relay including VoFR (Synchrony ST-1000)
    [/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]
    • [FONT=Arial][SIZE=2]Network Management (TimeView and SNMS)
    [/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]



    • [FONT=Arial][SIZE=2]Services -- [/SIZE][/FONT][FONT=Arial][SIZE=1]we care [/SIZE][/FONT][FONT=Arial][SIZE=1]for [/SIZE][/FONT][FONT=Arial][SIZE=1]your business[/SIZE][/FONT][FONT=Arial][SIZE=1]
      [/SIZE][/FONT]



    • [FONT=Arial][SIZE=2]Maintenance contract
    [/SIZE][/FONT][FONT=Arial][SIZE=2]s[/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]
    • [FONT=Arial][SIZE=2]Repairing 
    [/SIZE][/FONT][FONT=Arial][SIZE=2]Timeplex products[/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]
    • [FONT=Arial][SIZE=2]Migrat
    [/SIZE][/FONT][FONT=Arial][SIZE=2]ing[/SIZE][/FONT][FONT=Arial][SIZE=2] network[/SIZE][/FONT][FONT=Arial][SIZE=2]s[/SIZE][/FONT][FONT=Arial][SIZE=2] into ATM for all your customized 
    [/SIZE][/FONT][FONT=Arial][SIZE=2]networking requirements[/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]
    • [FONT=Arial][SIZE=2]Training courses for Timeplex products
    [/SIZE][/FONT][FONT=Arial][SIZE=2]
    [/SIZE][/FONT]



    • [FONT=Arial][SIZE=2]Manufacturing -- [/SIZE][/FONT][FONT=Arial][SIZE=1]proud [/SIZE][/FONT][FONT=Arial][SIZE=1]to be [/SIZE][/FONT][FONT=Arial][SIZE=1]made in U.S.A.[/SIZE][/FONT][FONT=Arial][SIZE=1]
      [/SIZE][/FONT]



    • [FONT=Arial][SIZE=2]Providing contract manufacturing with high quality and 
    [/SIZE][/FONT][FONT=Arial][SIZE=2]satisfaction[/SIZE][/FONT]

    [SIZE=2][FONT=Arial]
    [/FONT][/SIZE]
Children
  • 0 in reply to SalishSwede
    [SIZE=2][FONT=Arial]Fascinating.  
    It seems the DoD is  indeed inserting itself into the VPN traffic created between my devices  and the UTM.  They appear to be redirecting VPN traffic through their datacenters. Due to the strange set of firewall rules I created, a  partial connection is made between the DoD and services elsewhere which include Facebook.  When half of the traffic is blocked and logged the traffic becomes evident to the firewall.  I'll fiddle with the rules and see if I can find out more.  

    I assume this will be corrected by the spooks involved at some point, however.  It remains to be seen how quickly.
    [/FONT][/SIZE]
  • 0 in reply to SalishSwede
    Note: this is further evidence that the Executive Branch of the US government has completely disregarded the Bill of Rights.

    My conclusion:  L2TP has been completely compromised and should be avoided at all costs.  L2TP thus joins PPTP in the category of "Worse than Useless" for security protocols.