Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 28 replies
  • Subscribers 1 subscriber
  • Views 21092 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

US Dept of Defense integrated into L2TP VPN?

SalishSwede
My carrier, Sprint is using legacy DoD addresses for cell phone connections but there appears to be something wrong with the VPN functionality... see posts later in this thread.

I'm connecting my smartphone to my local home net using L2TP via the Sophos UTM.

I'm reviewing the firewall logs and notice traffic on port 443 being blocked between two addresses:  
Source:

21.194.27.36  Dept of Defense

Dest:

50.115.125.93   [URL="http://mxtoolbox.com/SuperTool.aspx?action=ptr%3a50.115.125.93&run=toolpage#"]50.115.125.93.static.westdc.net  ??
[/URL]

              69.171.245.49   Facebook

Here's what I can find on the source:
[SIZE=2]Location[/SIZE]                     [SIZE=2]  UNITED STATES, OHIO, COLUMBUS[/SIZE]                                                       [SIZE=2]Latitude, Longitude[/SIZE]                     [SIZE=2]39.96638, -83.01277 (39°57'59"S   -83°0'46"E)[/SIZE]                                                       [SIZE=2]Connection through[/SIZE]                     [SIZE=2]DOD NETWORK INFORMATION CENTER[/SIZE]                                                       [SIZE=2]Local Time[/SIZE]                     [SIZE=2]04 Dec, 2013 05:17 PM (UTC -05:00)[/SIZE]                                                       [SIZE=2]Domain[/SIZE]                     [SIZE=2]NIC.MIL[/SIZE]
Here are a couple of lines from the logs:

[FONT=monospace]14:08:16 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:19 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:19 Packet filter rule #6 L2TP 21.194.27.36 : 38247 → 69.171.245.49 : 443 [ACK PSH] len=130 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:26 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
 
Note the L2TP is the traffic being parsed. 

Could I get some fresh eyes on this?

Thanks,

Doug


This thread was automatically locked due to age.
Parents
  • 0
    The questions I'd ask are.

    1) What is the public IP address of your phone? I could care less what the exact IP is, more does it match to the suspected DoD IP block? In the case of the CG NAT'd systems, the phone's public IP was a DoD address.

    2) Do you facebook from your phone?

    On the surface of it, my immediate thought is that if your Cell Provider's network uses a DoD address, it's not outside the realm of posibility that your phone L2TP client is trying reach facebook and the like over the L2TP connection but the UTM doesn't like that so is rejecting the traffic.
  • 0 in reply to TheDrew
    1) What is the public IP address of your phone? I could care less what the exact IP is, more does it match to the suspected DoD IP block? 


    Dougga, you can look through your l2tp logs on the UTM to find the phone's previous addresses.
    Edit: Nevermind. I see you found the IP.

    BTW, when posting multiple replies in a row, it's hard to tell which post you're replying to if there's no quote. e.g. "Bingo! Thanks."

    Glad you got it figured out.

    Barry
  • 0 in reply to BarryG
    My head's not adequately wrapping around how a vpn ip address created on my phone and it's associated MAC addresss made it to the UTM.  The UTM shows the DoD/Sprint cell address sending traffic to Facebook and the like.  This shouldn't happen in my understanding of tunnelling. Any traffic going through the tunnel should be using the internal VPN pool address of 10.242.x.y.  

    21.x.y.z (my phone's internet addr)----> UTM External Addr 75.x.y.z 
    10.242.x.y (L2TP Tunnel Addr)     -----> Separate routing rules for L2TP Pool 10.242/16

    How did 21.x.y.z source address get sent to facebook or google public addresses.  This is bypassing the VPN functionality, otherwise the packet filter would show 10.242.x.y as the source address.

    What am I missing?
Reply
  • 0 in reply to BarryG
    My head's not adequately wrapping around how a vpn ip address created on my phone and it's associated MAC addresss made it to the UTM.  The UTM shows the DoD/Sprint cell address sending traffic to Facebook and the like.  This shouldn't happen in my understanding of tunnelling. Any traffic going through the tunnel should be using the internal VPN pool address of 10.242.x.y.  

    21.x.y.z (my phone's internet addr)----> UTM External Addr 75.x.y.z 
    10.242.x.y (L2TP Tunnel Addr)     -----> Separate routing rules for L2TP Pool 10.242/16

    How did 21.x.y.z source address get sent to facebook or google public addresses.  This is bypassing the VPN functionality, otherwise the packet filter would show 10.242.x.y as the source address.

    What am I missing?
Children
No Data