This showed up in my logs with an IP address from china…
l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
l2tp,debug,packet (M) Message-Type=SCCRQ
l2tp,debug,packet (M) Protocol-Version=0x01:00
l2tp,debug,packet (M) Framing-Capabilities=0x1
l2tp,debug,packet (M) Bearer-Capabilities=0x0
l2tp,debug,packet Firmware-Revision=0x601
l2tp,debug,packet (M) Host-Name=“T450-150520-NB”
l2tp,debug,packet Vendor-Name=“Microsoft”
l2tp,debug,packet (M) Assigned-Tunnel-ID=5
l2tp,debug,packet (M) Receive-Window-Size=8
They also tried with a couple of different vendor-names.
I don’t see any login attempts or failed username/password entries but I am curious if the above attempts would have been successful. I didn’t see any Installed SA, keys or additional users entered under IP>>IPSec. Just makes me nervous when I see repeated attempts from foreign countries trying to gain access to private networks.