SoftEther VPN サーバーに VPN 接続しようとした IP アドレスをコマンドで確認する方法

前書き

いざ SoftEther VPN サーバー (以降 VPN サーバーと略すことあり) を運用することになったとしよう。その場合、不正アクセスがあったのかなかったのかを知りたくなるのは自然なこと。

でもこの場合、どこの何を確認すれば良いのか?これについての方法を把握しておこうと思い、本投稿に書くことにした。

より良い方法があれば随時追記したり、修正していったりしようと思う。

サーバーログ (server_log) を確認する方法

SoftEther VPN サーバーにはログがいくつかあるが、その中の 1 つであるサーバーログを見るのが手っ取り早いと思う。

  • VPN サーバーに VPN 接続を試みたグローバル IP アドレス
  • その時使用された VPN プロトコル
  • VPN 接続に接続したかどうか
  • その時のタイムスタンプ

サーバーログを見ることでこのような情報を確認することができる。

L2TP/IPSec で VPN 接続に成功したときのサーバーログ

Chromebook から L2TP/IPSec を使用し、VPN 接続に成功したとき、サーバーログには以下が記録される。

2021-08-08 12:44:47.984 IPsec Client 14 (126.xx.yy.zz:56101 -> 172.16.1.2:500): A new IPsec client is created.
2021-08-08 12:44:47.984 IPsec IKE Session (IKE SA) 9 (Client: 14) (126.xx.yy.zz:56101 -> 172.16.1.2:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x4C5BCAEA82080AA7, Responder Cookie: 0x47614F00E9011904, DH Group: MODP 3072 (Group 15), Hash Algorithm: SHA-2-256, Cipher Algorithm: AES-CBC, Cipher Key Size: 128 bits, Lifetime: 4294967295 Kbytes or 10800 seconds
2021-08-08 12:44:48.167 IPsec Client 14 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): The port number information of this client is updated.
2021-08-08 12:44:48.167 IPsec Client 14 (126.xx.yy.zz:4500 -> 172.16.1.2:4500):
2021-08-08 12:44:48.167 IPsec IKE Session (IKE SA) 9 (Client: 14) (126.xx.yy.zz:4500 -> 172.16.1.2:4500): This IKE SA is established between the server and the client.
2021-08-08 12:44:48.227 IPsec IKE Session (IKE SA) 9 (Client: 14) (126.xx.yy.zz:4500 -> 172.16.1.2:4500): The client initiates a QuickMode negotiation.
2021-08-08 12:44:48.227 IPsec ESP Session (IPsec SA) 16 (Client: 14) (126.xx.yy.zz:4500 -> 172.16.1.2:4500): A new IPsec SA (Direction: Client -> Server) is created. SPI: 0xCFC74A2C, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 128 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2021-08-08 12:44:48.227 IPsec ESP Session (IPsec SA) 16 (Client: 14) (126.xx.yy.zz:4500 -> 172.16.1.2:4500): A new IPsec SA (Direction: Server -> Client) is created. SPI: 0xCC494F1D, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 128 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2021-08-08 12:44:48.288 IPsec ESP Session (IPsec SA) 16 (Client: 14) (126.xx.yy.zz:4500 -> 172.16.1.2:4500): This IPsec SA is established between the server and the client.
2021-08-08 12:44:48.989 IPsec Client 14 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): The L2TP Server Module is started.
2021-08-08 12:44:49.091 L2TP PPP Session [126.xx.yy.zz:1701]: A new PPP session (Upper protocol: L2TP) is started. IP Address of PPP Client: 126.xx.yy.zz (Hostname: "localhost"), Port Number of PPP Client: 1701, IP Address of PPP Server: 172.16.1.2, Port Number of PPP Server: 1701, Client Software Name: "L2TP VPN Client", IPv4 TCP MSS (Max Segment Size): 1314 bytes
2021-08-08 12:44:49.172 On the TCP Listener (Port 0), a Client (IP address 126.xx.yy.zz, Host name "softbank1234567890xx.bbtec.net", Port number 1701) has connected.
2021-08-08 12:44:49.172 For the client (IP address: 126.xx.yy.zz, host name: "softbank1234567890xx.bbtec.net", port number: 1701), connection "CID-13" has been created.
2021-08-08 12:44:49.182 SSL communication for connection "CID-13" has been started. The encryption algorithm name is "(null)".
2021-08-08 12:44:49.182 [HUB "hogehoge-vhub"] The connection "CID-13" (IP address: 126.xx.yy.zz, Host name: softbank1234567890xx.bbtec.net, Port number: 1701, Client name: "L2TP VPN Client", Version: 4.34, Build: 9745) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "nobi".
2021-08-08 12:44:49.182 [HUB "hogehoge-vhub"] Connection "CID-13": Successfully authenticated as user "nobi".
2021-08-08 12:44:49.192 [HUB "hogehoge-vhub"] Connection "CID-13": The new session "SID-NOBI-[L2TP]-8" has been created. (IP address: 126.xx.yy.zz, Port number: 1701, Physical underlying protocol: "Legacy VPN - L2TP")
2021-08-08 12:44:49.192 [HUB "hogehoge-vhub"] Session "SID-NOBI-[L2TP]-8": The parameter has been set. Max number of TCP connections: 1, Use of encryption: Yes, Use of compression: No, Use of Half duplex communication: No, Timeout: 20 seconds.
2021-08-08 12:44:49.192 [HUB "hogehoge-vhub"] Session "SID-NOBI-[L2TP]-8": VPN Client details: (Client product name: "L2TP VPN Client", Client version: 434, Client build number: 9745, Server product name: "SoftEther VPN Server (64 bit)", Server version: 434, Server build number: 9745, Client OS name: "L2TP VPN Client", Client OS version: "-", Client product ID: "-", Client host name: "localhost", Client IP address: "126.xx.yy.zz", Client port number: 1701, Server host name: "172.16.1.2", Server IP address: "172.16.1.2", Server port number: 1701, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "hogehoge-vhub", Client unique ID: "63A09AC4367ED5A9D13EA8A894F9C15B")
2021-08-08 12:44:49.232 L2TP PPP Session [126.xx.yy.zz:1701]: Trying to request an IP address from the DHCP server.
2021-08-08 12:44:49.588 [HUB "hogehoge-vhub"] Session "SID-LOCALBRIDGE-1": The DHCP server of host "00-A0-DE-CB-6F-17" (10.1.0.1) on this session allocated, for host "SID-NOBI-[L2TP]-8" on another session "CA-02-EB-9B-0E-32", the new IP address 10.1.0.3.
2021-08-08 12:44:49.588 L2TP PPP Session [126.xx.yy.zz:1701]: An IP address is assigned. IP Address of Client: 10.1.0.3, Subnet Mask: 255.255.255.0, Default Gateway: 10.1.0.1, Domain Name: "", DNS Server 1: 10.1.0.1, DNS Server 2: 1.1.1.1, WINS Server 1: 0.0.0.0, WINS Server 2: 0.0.0.0, IP Address of DHCP Server: 10.1.0.1, Lease Lifetime: 259200 seconds
2021-08-08 12:44:49.588 L2TP PPP Session [126.xx.yy.zz:1701]: The IP address and other network information parameters are set successfully. IP Address of Client: 10.1.0.3, Subnet Mask: 255.255.255.0, Default Gateway: 10.1.0.1, DNS Server 1: 10.1.0.1, DNS Server 2: 1.1.1.1, WINS Server 1: 0.0.0.0, WINS Server 2: 0.0.0.0

VPN クライアントのグローバル IP アドレス (赤字箇所) が確認できることに加え、クライアント側が使っているプロバイダーがソフトバンクであることも読み取れる。

L2TP/IPSec の VPN 接続をクライアント側から切断したときのサーバーログ

ものはついでで書いておこう。

2021-08-08 12:59:05.537 IPsec ESP Session (IPsec SA) 16 (Client: 14) (126.xx.yy.zz:4500 -> 172.16.1.2:4500): This IPsec SA is deleted.
2021-08-08 12:59:05.537 IPsec IKE Session (IKE SA) 9 (Client: 14) (126.xx.yy.zz:4500 -> 172.16.1.2:4500): This IKE SA is deleted.
2021-08-08 12:59:05.537 IPsec ESP Session (IPsec SA) 16 (Client: 14) (126.xx.yy.zz:4500 -> 172.16.1.2:4500): This IPsec SA is deleted.
2021-08-08 12:59:06.327 L2TP PPP Session [126.xx.yy.zz:1701]: The PPP session is disconnected because the upper-layer protocol "L2TP" has been disconnected.
2021-08-08 12:59:06.327 L2TP PPP Session [126.xx.yy.zz:1701]: The PPP session is disconnected.
2021-08-08 12:59:06.894 [HUB "hogehoge-vhub"] Session "SID-NOBI-[L2TP]-8": The session has been terminated. The statistical information is as follows: Total outgoing data size: 363970 bytes, Total incoming data size: 355506 bytes.
2021-08-08 12:59:06.914 Connection "CID-13" terminated by the cause "The VPN session has been deleted. It is possible that either the administrator disconnected the session or the connection from the client to the VPN Server has been disconnected." (code 11).
2021-08-08 12:59:06.914 Connection "CID-13" has been terminated.
2021-08-08 12:59:06.914 The connection with the client (IP address 126.xx.yy.zz, Port number 1701) has been disconnected.
2021-08-08 12:59:15.545 IPsec Client 14 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): This IPsec Client is deleted.

L2TP/IPSec の VPN 接続に失敗したときのサーバーログ

VPN 接続できなかったときのログは以下のようになる。テスト的に事前共有鍵をわざとまちがえて設定した Chromebook から VPN 接続を試みたときのログである。

2021-08-08 13:04:29.431 IPsec Client 15 (126.xx.yy.zz:23812 -> 172.16.1.2:500): A new IPsec client is created.
2021-08-08 13:04:29.441 IPsec IKE Session (IKE SA) 10 (Client: 15) (126.xx.yy.zz:23812 -> 172.16.1.2:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xF1F5B25750D1396B, Responder Cookie: 0x489B2F130C300299, DH Group: MODP 3072 (Group 15), Hash Algorithm: SHA-2-256, Cipher Algorithm: AES-CBC, Cipher Key Size: 128 bits, Lifetime: 4294967295 Kbytes or 10800 seconds
2021-08-08 13:04:29.634 IPsec Client 15 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): The port number information of this client is updated.
2021-08-08 13:04:39.515 IPsec Client 15 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): This IPsec Client is deleted.
2021-08-08 13:04:39.515 IPsec IKE Session (IKE SA) 10 (Client: 15) (126.xx.yy.zz:4500 -> 172.16.1.2:4500): This IKE SA is deleted.
2021-08-08 13:04:40.855 IPsec Client 16 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): A new IPsec client is created.
2021-08-08 13:04:51.404 IPsec Client 16 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): This IPsec Client is deleted.
2021-08-08 13:04:53.801 IPsec Client 17 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): A new IPsec client is created.
2021-08-08 13:05:04.911 IPsec Client 17 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): This IPsec Client is deleted.

VPN 接続が成功したときと比べるとログ量が少ないことがわかる。

Client 15, 16, 17 とあるが、ぱっと見 16 と 17 は Chromebook のリトライ処理ではないかと思われる。つまり、3 回まで VPN 接続を試みるが 3 回連続で失敗するとあきらめる的な。

L2TP/IPSec で VPN 接続に成功したアクセスを確認するコマンド

成功・失敗を問わず、VPN 接続を試みたクライアントの IP アドレスに関しては、以下のような grep コマンドで良いだろう。

$ sudo grep 'IPsec client is created' server_log/vpn_20210808.log
2021-08-08 10:14:47.644 IPsec Client 4 (216.aa.bb.cc:46061 -> 172.16.1.2:500): A new IPsec client is created.
2021-08-08 10:38:43.364 IPsec Client 5 (126.xx.yy.zz:62258 -> 172.16.1.2:500): A new IPsec client is created.
2021-08-08 12:24:37.321 IPsec Client 6 (126.xx.yy.zz:56430 -> 172.16.1.2:500): A new IPsec client is created.
2021-08-08 12:25:58.735 IPsec Client 7 (126.xx.yy.zz:56430 -> 172.16.1.2:500): A new IPsec client is created.
2021-08-08 12:29:58.418 IPsec Client 8 (126.xx.yy.zz:56430 -> 172.16.1.2:500): A new IPsec client is created.
2021-08-08 12:30:09.814 IPsec Client 9 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): A new IPsec client is created.
2021-08-08 12:30:22.780 IPsec Client 10 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): A new IPsec client is created.
2021-08-08 12:33:24.817 IPsec Client 11 (126.xx.yy.zz:56430 -> 172.16.1.2:500): A new IPsec client is created.
2021-08-08 12:33:36.228 IPsec Client 12 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): A new IPsec client is created.
2021-08-08 12:33:49.188 IPsec Client 13 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): A new IPsec client is created.
2021-08-08 12:44:47.984 IPsec Client 14 (126.xx.yy.zz:56101 -> 172.16.1.2:500): A new IPsec client is created.
2021-08-08 13:04:29.431 IPsec Client 15 (126.xx.yy.zz:23812 -> 172.16.1.2:500): A new IPsec client is created.
2021-08-08 13:04:40.855 IPsec Client 16 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): A new IPsec client is created.
2021-08-08 13:04:53.801 IPsec Client 17 (126.xx.yy.zz:4500 -> 172.16.1.2:4500): A new IPsec client is created.
$

上記で確認したアクセスのうち、VPN 接続に成功したのを確認するには以下を使う。(一例)

$ sudo grep 'details' server_log/vpn_20210808.log
2021-08-08 10:38:44.601 [HUB "hogehoge-vhub"] Session "SID-NOBI-[L2TP]-5": VPN Client details: (Client product name: "L2TP VPN Client", Client version: 434, Client build number: 9745, Server product name: "SoftEther VPN Server (64 bit)", Server version: 434, Server build number: 9745, Client OS name: "L2TP VPN Client", Client OS version: "-", Client product ID: "-", Client host name: "localhost", Client IP address: "126.xx.yy.zz", Client port number: 1701, Server host name: "172.16.1.2", Server IP address: "172.16.1.2", Server port number: 1701, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "hogehoge-vhub", Client unique ID: "63A09AC4367ED5A9D13EA8A894F9C15B")
2021-08-08 12:24:38.834 [HUB "hogehoge-vhub"] Session "SID-NOBI-[L2TP]-6": VPN Client details: (Client product name: "L2TP VPN Client", Client version: 434, Client build number: 9745, Server product name: "SoftEther VPN Server (64 bit)", Server version: 434, Server build number: 9745, Client OS name: "L2TP VPN Client", Client OS version: "-", Client product ID: "-", Client host name: "localhost", Client IP address: "126.xx.yy.zz", Client port number: 1701, Server host name: "172.16.1.2", Server IP address: "172.16.1.2", Server port number: 1701, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "hogehoge-vhub", Client unique ID: "63A09AC4367ED5A9D13EA8A894F9C15B")
2021-08-08 12:25:59.953 [HUB "hogehoge-vhub"] Session "SID-NOBI-[L2TP]-7": VPN Client details: (Client product name: "L2TP VPN Client", Client version: 434, Client build number: 9745, Server product name: "SoftEther VPN Server (64 bit)", Server version: 434, Server build number: 9745, Client OS name: "L2TP VPN Client", Client OS version: "-", Client product ID: "-", Client host name: "localhost", Client IP address: "126.xx.yy.zz", Client port number: 1701, Server host name: "172.16.1.2", Server IP address: "172.16.1.2", Server port number: 1701, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "hogehoge-vhub", Client unique ID: "63A09AC4367ED5A9D13EA8A894F9C15B")
2021-08-08 12:44:49.192 [HUB "hogehoge-vhub"] Session "SID-NOBI-[L2TP]-8": VPN Client details: (Client product name: "L2TP VPN Client", Client version: 434, Client build number: 9745, Server product name: "SoftEther VPN Server (64 bit)", Server version: 434, Server build number: 9745, Client OS name: "L2TP VPN Client", Client OS version: "-", Client product ID: "-", Client host name: "localhost", Client IP address: "126.xx.yy.zz", Client port number: 1701, Server host name: "172.16.1.2", Server IP address: "172.16.1.2", Server port number: 1701, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "hogehoge-vhub", Client unique ID: "63A09AC4367ED5A9D13EA8A894F9C15B")
$

メモ

https (SSL-VPN) や OpenVPN を使用している場合は、別途確認方法を確立する必要あり。

コメントを残す

メールアドレスが公開されることはありません。 が付いている欄は必須項目です

このサイトはスパムを低減するために Akismet を使っています。コメントデータの処理方法の詳細はこちらをご覧ください