[pptp-server] No masq table again.

Cowles, Steve Steve.Cowles at gte.net
Mon May 29 14:00:49 CDT 2000 

> -----Original Message-----
> From: Grzegorz A. Wieczorek [mailto:gigo at ibb.waw.pl]
> Sent: Monday, May 29, 2000 1:16 PM
> To: pptp-server at lists.schulte.org
> Subject: [pptp-server] No masq table again.
> 
> May 21 11:26:24 lirout kernel: ip_demasq_gre(): 10.11.12.11 -> 
> 10.11.12.1 CID=0 VER=1 PROTO=880B
> May 21 11:26:24 lirout kernel: ip_masq_in_get_gre(): lookup 
> 10.11.12.11->10.11.12.1 CID=0 FAIL
> May 21 11:26:24 lirout kernel: ip_demasq_gre(): 10.11.12.11 
> -> 10.11.12.1 
> CID=0 no masq table, discarding
> 

I got the above message back when I moved my PPTP server from a behind my
linux based firewall to the firewall itself. e.g. I no longer had a masq's
PPTP server on my 192.168.9.0/24 network.

When I moved PPTP to the firewall, I made all of the necessary changes to
the config files and the ipchain rules, but forgot to "remove" the
"ip_masq_gre module when my system booted. Because the module was still
loaded, it saw a GRE packet hitting the external interface without the
corresponding masq'd entry in its outbound tables. e.g. It's trying to
"de-masq" the inbound packet, when it never masq'd an outbound packet in the
first place, so the lookup fails. When I removed (rmmod) the ip_masq_gre
module, I no longer got the above messages in my log files.

> The problem is I cannot route traffic any further than to my 
> vpn server. 

Without seeing your PPTP/pppd config files and given the fact you can at
least talk to the PPTP server, I would speculate that this is probably an
"ipchains" related problem. Although, this could be proxyarp related.
Anyway, I would download Tom Eastep's ipchians based firewall called
"Seawall" from http://seawall.sourceforge.net. Tom has gone into great
detail on dealing with pptp servers running on both the firewall and behind
a firewall. By simply editing a few (well documented) config files that
define your network topolgy, it will run the appropiate ipchain, ipmasqadm
and ipfwd commands necessary to deal with PPTP servers. This was a life
saver to me when I setup PPTP.

Steve Cowles

More information about the pptp-server mailing list