[pptp-server] PPTP client connection trough masqueraded firewall

Greg Muehl gregm at hiddenvillage.net
Wed May 30 15:23:16 CDT 2001 

I have the same problem. I am using an extendnet4000 firewall at work 
(based on 2.2.14) that claims to support VPN port forwarding. I have it 
forward to an inside Linux Slackware 2.2.16 box.

I can connect multiple clients that are inside the local network (useless 
except for testing). Outside the network I get this in my pptpd.log when I 
connect multiple machines, even from different locations:

May 30 00:15:35 file_server pppd[227]: sent [LCP ConfReq id=0x1 <asyncmap 
0x0> <auth chap MD5> <magic 0x3e94174e> <pcomp> <accomp>]
May 30 00:15:35 file_server pptpd[202]: GRE: Discarding out of order packet
May 30 00:15:35 file_server pptpd[226]: GRE: Discarding out of order packet
May 30 00:15:35 file_server pptpd[202]: GRE: Discarding out of order packet
May 30 00:15:35 file_server pptpd[226]: GRE: Discarding out of order packet
May 30 00:15:38 file_server pppd[227]: sent [LCP ConfReq id=0x1 <asyncmap 
0x0> <auth chap MD5> <magic 0x3e94174e> <pcomp> <accomp>]
May 30 00:15:38 file_server pptpd[202]: GRE: Discarding out of order packet
May 30 00:15:38 file_server pptpd[226]: GRE: Discarding out of order packet
May 30 00:15:38 file_server pptpd[202]: GRE: Discarding out of order packet
May 30 00:15:38 file_server pptpd[226]: GRE: Discarding out of order packet
May 30 00:15:41 file_server pppd[227]: LCP: timeout sending Config-Requests
May 30 00:15:41 file_server pppd[227]: Connection terminated.
May 30 00:15:41 file_server pppd[227]: Exit.
May 30 00:15:41 file_server pptpd[226]: GRE: 
read(fd=4,buffer=804d840,len=8196) from PTY failed: status = -1 error = 
Input/output error
May 30 00:15:41 file_server pptpd[226]: CTRL: PTY read or GRE write failed 
(pty,gre)=(4,5)
May 30 00:15:41 file_server pptpd[226]: CTRL: Client 100.0.0.199 control 
connection finished

any ideas???







At 03:35 PM 5/30/2001 -0400, you wrote:
>FW-1 probably only supports 1 concurrent connection behind it.  it's not
>smart enough to figure out based on call id which machine should get the
>GRE packets.  See if there's an update.  if not, get a box to route.
>
>Scott
>
>On Wed, 30 May 2001, Kurt Glazemakers wrote:
>
> >
> > I'm sorry, the image totally screwed up by sending it, maybe this will
> > be more clear
> >
> >       Linux   PPTP server
> >                 |
> >                 |
> >               ...
> >            Internet
> >               ...
> >                 |
> >                 |
> >          213.2.45.6
> >             FW-1
> >          192.168.1.254/24
> >                 |
> >         -------------
> >         |            |
> >       PC-A            PC-B
> >   192.168.1.1/24      192.168.1.2/24
> >
> > Yep, the internet address of the firewall is fixed, and yep PC-A or PC-B
> > is able to connect. Only both PPTP connections togheter don't work.
> >
> > I could make one connection and route it, but then I need an extra
> > machine, because PC-A and PC-B are laptop pc's. If possible I would like
> > to avoid it.
> >
> >
> > -----Original Message-----
> > From: Justin Kreger [mailto:lists at earthling.2y.net]
> > Sent: woensdag 30 mei 2001 19:25
> > To: Kurt Glazemakers
> > Cc: pptp-server at lists.schulte.org
> > Subject: Re: [pptp-server] PPTP client connection trough masqueraded
> > firewall
> >
> >
> > Your diagram is.... umm... not clear..   Dose the internet side of your
> > firewall have a static ip?  Is it acceptable to have one connect to the
> > pptp server, and route between the two networks?
> >
> > Justin Kreger, MCP MCSE CCNA
> > jkreger at earthling.2y.net jwkreger at uncg.edu jkreger at aristotle.wss.net
> >
> >
> > On Wed, 30 May 2001, Kurt Glazemakers wrote:
> >
> > >
> > > This is the setup I wanted to use:
> > >     Machine A                 Checkpoint  FW-1
> > >    192.168.1.1/24=======|  |-----------|
> > > |-------------------|
> > >                             |==|               |========....
> > > INTERNET  ....======| Linux PPTP server |
> > >     Machine B               |  |               |
> > > |                       |
> > >    192.168.1.2/24=======|  |-----------|
> > > |-------------------|
> > >                     192.168.1.254/24     213.2.45.6
> > >
> > > Machine A and machine B needs to connect to the PPTP server and are
> > > using 2 different accounts.
> > >
> > > My question is: Is it possible to do this, can the PPTP protocol be
> > > masqueraded ? The TCP port 1723 will be offcourse no problem, but what
> > > about the GRE. Because 1 connection works, but a second fails ...
> > >
> > > Thanks,
> > >
> > > Kurt
> > > _______________________________________________
> > > pptp-server maillist  -  pptp-server at lists.schulte.org
> > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > List services provided by www.schulteconsulting.com!
> > >
> >
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
> >
>
>_______________________________________________
>pptp-server maillist  -  pptp-server at lists.schulte.org
>http://lists.schulte.org/mailman/listinfo/pptp-server
>List services provided by www.schulteconsulting.com!

More information about the pptp-server mailing list