L2TP/Ipsec - unclear logs

Dear all,

Since a while I see unclear logs, If a couple of users are connected I see the following eg.

2020:11:16-08:40:18 utm pluto[6634]: "L_for USER&02"[31]

The user which is shown is always the first user of my ltp pool of users but the strange and unclear thing is that this user which is shown L_for User is not connected !?

Additionally I get the following message if a client connects:

Overriding mtu 1500 to 1380

It's not really an issue but I do not understand this behaviour and it may releate to an issue ?

Thx and Best



add
[edited by: m f2 at 8:17 AM (GMT -8) on 16 Nov 2020]
  • ++ Cannot determine ethernet address for proxy ARP

  • Hallo,

    There's no context for the log line from pluto - maybe show us 10-20 lines before and after?.

    The mtu line seems normal, but, again, without context, it's difficult to "see" what's happening.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    As I wrote above, the most mysterious log is the L for user log part which I really do not understand, If some user eg. user x connects all starts with the first configuered user in l2tp in utm. Eg.

    2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: received Vendor ID payload [RFC 3947]
    2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
    2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
    2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
    2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
    2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
    2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
    2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [FRAGMENTATION 80000000]
    2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: received Vendor ID payload [Dead Peer Detection]
    2020:11:21-11:58:39 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[638] IP:61485 #2847: responding to Main Mode from unknown peer IP:61485
    2020:11:21-11:58:39 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[638] IP:61485 #2847: NAT-Traversal: Result using RFC 3947: peer is NATed
    2020:11:21-11:58:39 utm pluto[6634]: | NAT-T: new mapping IP:61485/61486)
    2020:11:21-11:58:39 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[638] IP:61486 #2847: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2020:11:21-11:58:39 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[638] IP:61486 #2847: Peer ID is ID_IPV4_ADDR: '192.168.178.27'
    2020:11:21-11:58:39 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[639] IP:61486 #2847: deleting connection "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[638] instance with peer IP {isakmp=#0/ipsec=#0}
    2020:11:21-11:58:39 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[639] IP:61486 #2847: Dead Peer Detection (RFC 3706) enabled
    2020:11:21-11:58:39 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[639] IP:61486 #2847: sent MR3, ISAKMP SA established
    2020:11:21-11:58:40 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[325] IP:61486 #2848: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
    2020:11:21-11:58:40 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[325] IP:61486 #2848: responding to Quick Mode
    2020:11:21-11:58:40 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&amp;02"[325] IP:61486 #2848: IPsec SA established {ESP=>0x0b6826e4 <0x951b06bb NATOA=192.168.178.27 DPD}
    2020:11:21-11:58:40 utm pppd-l2tp[26362]: Plugin aua.so loaded.
    2020:11:21-11:58:40 utm pppd-l2tp[26362]: AUA plugin initialized.
    2020:11:21-11:58:40 utm pppd-l2tp[26362]: Plugin ippool.so loaded.
    2020:11:21-11:58:40 utm pppd-l2tp[26362]: Plugin pppol2tp.so loaded.
    2020:11:21-11:58:40 utm pppd-l2tp[26362]: pppd 2.4.7 started by (unknown), uid 0
    2020:11:21-11:58:40 utm pppd-l2tp[26362]: Using interface ppp1
    2020:11:21-11:58:40 utm pppd-l2tp[26362]: Connect: ppp1 <-->
    2020:11:21-11:58:40 utm pppd-l2tp[26362]: Overriding mtu 1500 to 1380
    2020:11:21-11:58:40 utm pppd-l2tp[26362]: Overriding mru 1500 to mtu value 1380
    2020:11:21-11:58:41 utm pppd-l2tp[26362]: Overriding mtu 1500 to 1380
    2020:11:21-11:58:43 utm pppd-l2tp[26362]: Cannot determine ethernet address for proxy ARP
    2020:11:21-11:58:43 utm pppd-l2tp[26362]: local IP address 10.242.3.1
    2020:11:21-11:58:43 utm pppd-l2tp[26362]: remote IP address 10.242.3.3
    2020:11:21-11:58:43 utm pppd-l2tp[26362]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username=“SOME-USER” variant="l2tp" srcip="IP" virtual_ip="10.242.3.3"

    Best & Greets

  • OK, I can hazard a guess.  If 192.168.178.27 is in a local subnet on an Interface on your UTM, L2TP/IPsec tends to misbehave.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA