[pptp-server] Windows NT VPN Server behind firewall Little bi t long message!!!!

Tue Sep 10 06:52:26 CDT 2002

> -----Original Message-----
> From: Andrea [mailto:andrea.carignano at martinicom.com]
> Sent: Tuesday, September 10, 2002 4:23 AM
> To: pptp-server at lists.schulte.org
> Subject: [pptp-server] Windows NT VPN Server behind firewall 
> Little bit
> long message!!!!
> 
> 
> Hi,
> I have the following problem:
> 
> I have a Windows 2000 VPN server behind a firewall 
> (smmothwall 0.99SE);

I take it this firewall/server is a work.

> I would like to connect from home to the office.

What pptp client software are you using to connect from home->office?
Are you trying to create a pptp tuunel from your home firewall or from a
system behind your home firewall?

> The EXT nic firewall ip is 212.xxx.xxx.xxx, the nt server IP
> is 192.168.0.1, the firewall INT nic IP is 192.168.0.20.
> I would like to extabilish a PPTP connection.
> 

OK!

> Here is the configuration:
> 
> 1. port forward TCP 1723 to <VPN server IP>

What command are you using to port forward? ipmasqadm?
What kernel does smoothwall use? 2.2.x or 2.4.x
Are you using ipchains or iptables at the firewall.

BTW: Before ipmasqadm can work, you must also ACCEPT TCP/1723 on the input
chain.

> 2. External access to anyone to port 1723

OK!

> 3. External access protocol 47 (GRE) (I'm not sure, how can I verify?)

use the ipchains/iptables list syntax to view current rules.

> 4. Forward 47 to <VPN server IP>: ipfwd --masq >VPN server IP> 47 &

You must be using ipchains if your using ipfwd. Using ipfwd with kernel
2.4.x and iptables is not needed. BTW: The above syntax looks correct.

> 
> When I try to connect to VPN SERVER I get as far as 
> 'Authenticating Username and password' then get an error
> indicating that the server is not responding (Error 619)
> after 30 seconds or so.
> 
> So I think that port (1723) forwarding works, if I log the 
> packet taht VPN server receives I dont see any 47....
> 
> If I check firewall's kernel logs I have:
> 
> ------->>>>>> ERROR!!! I THINK->>>>>>>12:37:26 kernel ip_demasq_gre():
> AAA.AAA.AAA.AAA -> BBB.BBB.BBB.BBB CID=43E7
> no masq table, discarding

> ------->>>>>> ERROR!!! I THINK->>>>>>>12:37:26 kernel ip_masq_gre():
> creating GRE masq for
> 192.168.0.1 ->AAA.AAA.AAA.AAA CID=4000 MCID=6109

Based on the above, it looks like packets are arriving out of order from the
pptp client. FWIW: The linux pptp client had this type problem with the
Caller ID (CID), but I thought the latest version had been fixed. If your
not using the linux pptp client from home, then there is some kind of
sequencing problem. I'm going from memory here (I'm now using kernel
2.4.x/iptables) but you should only see one entry at the firewall that
states "creating GRE masq for..." for each connection. You should also see
one entry logged when the tunnel is tore down.

> 12:40:09 kernel ip_demasq_gre(): AAA.AAA.AAA.AAA -> 
> BBB.BBB.BBB.BBB CID=83E7
> no masq table, discarding
> 12:40:09 kernel ip_masq_gre(): creating GRE masq for
> 192.168.0.1 ->AAA.AAA.AAA.AAA CID=8000 MCID=6109
> 12:42:51 kernel ip_demasq_gre(): AAA.AAA.AAA.AAA -> 
> BBB.BBB.BBB.BBB CID=C3E7
> no masq table, discarding
> 12:42:51 kernel ip_masq_gre(): creating GRE masq for
> 192.168.0.1 ->AAA.AAA.AAA.AAA CID=C000 MCID=6109
> 12:43:53 kernel ip_masq_gre(): creating GRE masq for
> 192.168.0.1 ->AAA.AAA.AAA.AAA CID=0 MCID=6109
> 12:46:36 kernel ip_masq_gre(): creating GRE masq for
> 192.168.0.1 ->AAA.AAA.AAA.AAA CID=4000 MCID=6109
> 12:49:18 kernel ip_masq_gre(): creating GRE masq for
> 192.168.0.1 ->AAA.AAA.AAA.AAA CID=8000 MCID=6109
> 
> Where:
> AAA.AAA.AAA.AAA is dyn external client IP
> BBB.BBB.BBB.BBB is dyn IP of smoothie firewall
> 192.168.0.1 is internal VPN server IP
> 
> What is wrong, can anyone help me?

I don't know how much I can help since I no longer use 2.2.x/ipchains, but
try to include some additional info as mentioned above. Maybe someone else
can help you debug this problem.

Steve Cowles