Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 28 replies
  • Subscribers 1 subscriber
  • Views 21092 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

US Dept of Defense integrated into L2TP VPN?

SalishSwede
My carrier, Sprint is using legacy DoD addresses for cell phone connections but there appears to be something wrong with the VPN functionality... see posts later in this thread.

I'm connecting my smartphone to my local home net using L2TP via the Sophos UTM.

I'm reviewing the firewall logs and notice traffic on port 443 being blocked between two addresses:  
Source:

21.194.27.36  Dept of Defense

Dest:

50.115.125.93   [URL="http://mxtoolbox.com/SuperTool.aspx?action=ptr%3a50.115.125.93&run=toolpage#"]50.115.125.93.static.westdc.net  ??
[/URL]

              69.171.245.49   Facebook

Here's what I can find on the source:
[SIZE=2]Location[/SIZE]                     [SIZE=2]  UNITED STATES, OHIO, COLUMBUS[/SIZE]                                                       [SIZE=2]Latitude, Longitude[/SIZE]                     [SIZE=2]39.96638, -83.01277 (39°57'59"S   -83°0'46"E)[/SIZE]                                                       [SIZE=2]Connection through[/SIZE]                     [SIZE=2]DOD NETWORK INFORMATION CENTER[/SIZE]                                                       [SIZE=2]Local Time[/SIZE]                     [SIZE=2]04 Dec, 2013 05:17 PM (UTC -05:00)[/SIZE]                                                       [SIZE=2]Domain[/SIZE]                     [SIZE=2]NIC.MIL[/SIZE]
Here are a couple of lines from the logs:

[FONT=monospace]14:08:16 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:19 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:19 Packet filter rule #6 L2TP 21.194.27.36 : 38247 → 69.171.245.49 : 443 [ACK PSH] len=130 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:26 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
 
Note the L2TP is the traffic being parsed. 

Could I get some fresh eyes on this?

Thanks,

Doug


This thread was automatically locked due to age.
Parents
  • 0
    The questions I'd ask are.

    1) What is the public IP address of your phone? I could care less what the exact IP is, more does it match to the suspected DoD IP block? In the case of the CG NAT'd systems, the phone's public IP was a DoD address.

    2) Do you facebook from your phone?

    On the surface of it, my immediate thought is that if your Cell Provider's network uses a DoD address, it's not outside the realm of posibility that your phone L2TP client is trying reach facebook and the like over the L2TP connection but the UTM doesn't like that so is rejecting the traffic.
  • 0 in reply to TheDrew
    Bingo!  Thanks.
    Edit: This clarifies the ip address but as my later post points out, this address should not be sending traffic to external addresses like Google or Facebook.  This traffic should have been encapsulated and thus have the vpn ip address.
Reply
  • 0 in reply to TheDrew
    Bingo!  Thanks.
    Edit: This clarifies the ip address but as my later post points out, this address should not be sending traffic to external addresses like Google or Facebook.  This traffic should have been encapsulated and thus have the vpn ip address.
Children
No Data