Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 28 replies
  • Subscribers 1 subscriber
  • Views 21063 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

US Dept of Defense integrated into L2TP VPN?

SalishSwede
My carrier, Sprint is using legacy DoD addresses for cell phone connections but there appears to be something wrong with the VPN functionality... see posts later in this thread.

I'm connecting my smartphone to my local home net using L2TP via the Sophos UTM.

I'm reviewing the firewall logs and notice traffic on port 443 being blocked between two addresses:  
Source:

21.194.27.36  Dept of Defense

Dest:

50.115.125.93   [URL="http://mxtoolbox.com/SuperTool.aspx?action=ptr%3a50.115.125.93&run=toolpage#"]50.115.125.93.static.westdc.net  ??
[/URL]

              69.171.245.49   Facebook

Here's what I can find on the source:
[SIZE=2]Location[/SIZE]                     [SIZE=2]  UNITED STATES, OHIO, COLUMBUS[/SIZE]                                                       [SIZE=2]Latitude, Longitude[/SIZE]                     [SIZE=2]39.96638, -83.01277 (39°57'59"S   -83°0'46"E)[/SIZE]                                                       [SIZE=2]Connection through[/SIZE]                     [SIZE=2]DOD NETWORK INFORMATION CENTER[/SIZE]                                                       [SIZE=2]Local Time[/SIZE]                     [SIZE=2]04 Dec, 2013 05:17 PM (UTC -05:00)[/SIZE]                                                       [SIZE=2]Domain[/SIZE]                     [SIZE=2]NIC.MIL[/SIZE]
Here are a couple of lines from the logs:

[FONT=monospace]14:08:16 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:19 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:19 Packet filter rule #6 L2TP 21.194.27.36 : 38247 → 69.171.245.49 : 443 [ACK PSH] len=130 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
[FONT=monospace]14:08:26 Packet filter rule #6 L2TP 21.194.27.36 : 39669 → 50.115.125.93 : 443 [RST] len=40 ttl=63 tos=0x00 srcmac=0:0:2f[:D]2:32:f7
[/FONT]
 
Note the L2TP is the traffic being parsed. 

Could I get some fresh eyes on this?

Thanks,

Doug


This thread was automatically locked due to age.
Parents
  • 0
    Hi,

    The MAC address is probably that of the tunnel.

    I agree with you that the IP should have been the 10.242 address; there's probably a bug in the Android l2tp client.

    The firewall seems to have done the right thing by dropping the packets, but I wonder why they were blocked by your rule and not by spoof protection (assuming that is turned on).

    Barry
Reply
  • 0
    Hi,

    The MAC address is probably that of the tunnel.

    I agree with you that the IP should have been the 10.242 address; there's probably a bug in the Android l2tp client.

    The firewall seems to have done the right thing by dropping the packets, but I wonder why they were blocked by your rule and not by spoof protection (assuming that is turned on).

    Barry
Children
  • 0 in reply to BarryG
    I agree with you that the IP should have been the 10.242 address; there's probably a bug in the Android l2tp client.

    The firewall seems to have done the right thing by dropping the packets,  but I wonder why they were blocked by your rule and not by spoof  protection (assuming that is turned on).
    Yes, exactly. 

    Spoof protection is indeed on.  Not strict, but on.  I may change that to strict. 

    There may be a problem with the UTM as well.  It could be a matter of precedence.  I see ambiguity between management of traffic between the Application Control rules and the Firewall rules.  If rules are set in both places, there's no indication which has precedence.  e.g.- Firewall rule blocking Steam traffic & App Control rule allowing it.

    Best case is this is just a similar precedence issue.  In this case, before I put the DoD rule in, spoofing rules would have caught the traffic.  

    Worst case is, the traffic is allowed to flow un-managed and unencrypted.
  • 0 in reply to BarryG
    Hi,

    there's probably a bug in the Android l2tp client.

    Barry


    I created a bug with the CyanogemMod team to look into this.

    https://jira.cyanogenmod.org/browse/CYAN-2864
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML