I have network with 2 gateways, one is CP other is Mikrotik.
Mikrotik is in its own vlan. No access to any part of CP network.
Network have about 50 vlans, intervlan routing is done by L3 switch. (no routing for mikrotiks vlan)
CP is GW for all networks accept for vlan of mikrotik.
Everything is working fine. I can not access mikrotik vlan form any CP network and vice versa.
few days ago I found logs on CP:
Interface Direction: inbound
Interface Name: eth0
Id Generated By Indexer:false
First: true
Sequencenum: 4
Source: 10.20.0.89 (this is network, that is used for "Mikrotik network"
Source Port: 4500
Destination: x.x.x.x
Destination Port: 4500
IP Protocol: 17
Message Information: Address spoofing
Action: Detect
Type: Log
Blade: Firewall
Service: UDP/4500
Product Family: Access
Interface: eth0
Description: IKE_NAT_TRAVERSAL Traffic Detected from 10.20.0.89 to x.x.x.x
with x.x.x.x I hided public IP address of destination, but it is legit IP WAN address.
privat IP is allways the same (10.20.0.89) that is strange, because there was few same events in range of few days (DHCP leash time on Mikrotik is 1day and I do not use reservations)
Obviously I have some misconfiguration on network or someone is doing something bad on network.
I did try my best to repeat the event, but I cant find way to do it.
I couldn't find it on Mikrotik DHCP log, since leash time released IP.
How can I find out what is going on? Few users have access to both networks, is it possible that Windows (or software) somehow route two networks together? Mikrotik is WiFi network.
I want to replicate this event, so I will know what is wrong and protect network.
Is this misconfiguration of the LAN, misconfiguration of endpoint PC or is someone really spoofing LAN address?
No other traffic is detected on CP from "Mikrotik network" only this IP and only IKE_NAT_TRAVERSAL.