Finding the IP address of the initiator of an L2TP connection (Windows 2003)?

B

bugaga01123582012-02-13 07:16:17

VPN

bugaga0112358, 2012-02-13 07:16:17

Good day.
There was such a situation.
On one of the servers in the network, where it should not be, a VPN server was found. The following message appears in the logs periodically:

Не удалось найти сертификат.<br/>
Подключениям, которые используют этот протокол L2TP через IPSec, требуется установка на компьютере сертификата компьютера.<br/>
L2TP-вызовы приниматься не будут.

Just turning off the VPN is not interesting. It is interesting to determine what is trying to connect to it. The server does not look at the Internet, therefore the initiator of the connection is on the local network.
Turned on verbose logging on the VPN server. After that, the connection was initiated, but I did not notice the source address in these detailed logs. But I noticed a ton of debugging information.
Actually, a question. Whether it is possible means of Windows, without expansion of ISA (recommended on technet'e) and similar burdens, to define the IP address of the initiator of connection?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

N

Naps, 2012-02-13
@Naps

C:\Windows\System32\LogFiles

E

egorinsk, 2012-02-13
@egorinsk

Can just do netstat -al | grep (portnumber) >> log every 5 seconds? Or is TCP not used there?

S

shadowalone, 2012-02-13
@shadowalone

Close port 500 and port 1701 on the firewall and log. not?

S

scatmanoleg, 2012-02-13
@scatmanoleg

For example, use a traffic sniffer on a machine, the simplest and most convenient is WireShark. In it you can definitely get all the information.