This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP/Ipsec - unclear logs

Dear all,

Since a while I see unclear logs, If a couple of users are connected I see the following eg.

2020:11:16-08:40:18 utm pluto[6634]: "L_for USER&02"[31]

The user which is shown is always the first user of my ltp pool of users but the strange and unclear thing is that this user which is shown L_for User is not connected !?

Additionally I get the following message if a client connects:

Overriding mtu 1500 to 1380

It's not really an issue but I do not understand this behaviour and it may releate to an issue ?

Thx and Best

This thread was automatically locked due to age.

0 mfpck over 3 years ago

++ Cannot determine ethernet address for proxy ARP
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago

Hallo,

There's no context for the log line from pluto - maybe show us 10-20 lines before and after?.

The mtu line seems normal, but, again, without context, it's difficult to "see" what's happening.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 mfpck over 3 years ago in reply to BAlfson

Hi,

As I wrote above, the most mysterious log is the L for user log part which I really do not understand, If some user eg. user x connects all starts with the first configuered user in l2tp in utm. Eg.

2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: received Vendor ID payload [RFC 3947]
2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2020:11:21-11:58:39 utm pluto[6634]: packet from IP:61485: received Vendor ID payload [Dead Peer Detection]
2020:11:21-11:58:39 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[638] IP:61485 #2847: responding to Main Mode from unknown peer IP:61485
2020:11:21-11:58:39 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[638] IP:61485 #2847: NAT-Traversal: Result using RFC 3947: peer is NATed
2020:11:21-11:58:39 utm pluto[6634]: | NAT-T: new mapping IP:61485/61486)
2020:11:21-11:58:39 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[638] IP:61486 #2847: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2020:11:21-11:58:39 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[638] IP:61486 #2847: Peer ID is ID_IPV4_ADDR: '192.168.178.27'
2020:11:21-11:58:39 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[639] IP:61486 #2847: deleting connection "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[638] instance with peer IP {isakmp=#0/ipsec=#0}
2020:11:21-11:58:39 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[639] IP:61486 #2847: Dead Peer Detection (RFC 3706) enabled
2020:11:21-11:58:39 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[639] IP:61486 #2847: sent MR3, ISAKMP SA established
2020:11:21-11:58:40 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[325] IP:61486 #2848: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
2020:11:21-11:58:40 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[325] IP:61486 #2848: responding to Quick Mode
2020:11:21-11:58:40 utm pluto[6634]: "L_for FIRST-USER-IN-SOPHOS-L2TP&02"[325] IP:61486 #2848: IPsec SA established {ESP=>0x0b6826e4 <0x951b06bb NATOA=192.168.178.27 DPD}
2020:11:21-11:58:40 utm pppd-l2tp[26362]: Plugin aua.so loaded.
2020:11:21-11:58:40 utm pppd-l2tp[26362]: AUA plugin initialized.
2020:11:21-11:58:40 utm pppd-l2tp[26362]: Plugin ippool.so loaded.
2020:11:21-11:58:40 utm pppd-l2tp[26362]: Plugin pppol2tp.so loaded.
2020:11:21-11:58:40 utm pppd-l2tp[26362]: pppd 2.4.7 started by (unknown), uid 0
2020:11:21-11:58:40 utm pppd-l2tp[26362]: Using interface ppp1
2020:11:21-11:58:40 utm pppd-l2tp[26362]: Connect: ppp1 <-->
2020:11:21-11:58:40 utm pppd-l2tp[26362]: Overriding mtu 1500 to 1380
2020:11:21-11:58:40 utm pppd-l2tp[26362]: Overriding mru 1500 to mtu value 1380
2020:11:21-11:58:41 utm pppd-l2tp[26362]: Overriding mtu 1500 to 1380
2020:11:21-11:58:43 utm pppd-l2tp[26362]: Cannot determine ethernet address for proxy ARP
2020:11:21-11:58:43 utm pppd-l2tp[26362]: local IP address 10.242.3.1
2020:11:21-11:58:43 utm pppd-l2tp[26362]: remote IP address 10.242.3.3
2020:11:21-11:58:43 utm pppd-l2tp[26362]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username=“SOME-USER” variant="l2tp" srcip="IP" virtual_ip="10.242.3.3"

Best & Greets
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to mfpck

OK, I can hazard a guess. If 192.168.178.27 is in a local subnet on an Interface on your UTM, L2TP/IPsec tends to misbehave.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel