Problems w/ Linux firewall and Windows VPN

Problems w/ Linux firewall and Windows VPN

[Stephen Touset]

[-- Attachment #1: Type: text/plain, Size: 2355 bytes --]

I've recently set up a firewall in our house, running Debian. It's using
iptables to do packet filtering. When I installed it, my mother started
having problems connecting through VPN to her company (MAPICS). The
connection starts fine, but after 5-10 minutes, it disconnects. I do not
have this problem connecting to other VPN servers (such as to my
employer) using her computer, so I know this is specific to their
system. 

Previously, we were using a Linksys router, and it worked fine.

Now, my first idea was that the firewall was blocking a certain type of
packet, thus causing the connection to be terminated. However, running
tcpdump on the internal and external interfaces show that everything is
passing through nicely.

Of note is that every time, right before the disconnect, their VPN
server sends a PPTP Echo-Request to her client. The response from her
client is a TCP RST, and the connection is terminated. I have verified
this repeatedly, and this is the case every time. However, there are
dozens of other times during the connection where a PPTP Echo-Request is
sent from their server, and her client responds with the correct PPTP
Echo-Reply, and they respond with a TCP ACK on that reply. In other
words, the echo handshake goes back and forth several times throughout
the connection, correctly, and at one of them her client decides not to
reply, and simply RST the connection. I've examined the packets
containing the Request from both a completed handshake and from the
terminated one, and they both appear to be identical, excluding sequence
numbers and acknowledgment numbers.

I'm attaching packet captures from ethereal in the libpcap format--one
from the perspective of the internal interface, and one from the
external. These are pre-filtered, so they contain *all* network traffic
at the time, so I'm positive that nothing that could identify the
problem is left out. The VPN server is 208.217.85.63, and her client is
192.168.1.102. It's over a PPTP connection, with a Windows-based VPN
server--I'm guessing Windows 2000 Server.

If anyone could help me discover what the problem is, or point me in the
direction of someone who could, I would be *extremely* grateful.

-- 
Stephen Touset <stephen@touset.org>
"What do you mean, 'Veritas is acting screwy'? Veritas is the shit!"	

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Problems w/ Linux firewall and Windows VPN

[Stephen Touset]

[-- Attachment #1.1: Type: text/plain, Size: 2447 bytes --]

Oops. Here are the attachments.

On Thu, 2004-01-01 at 20:36, Stephen Touset wrote:
> I've recently set up a firewall in our house, running Debian. It's using
> iptables to do packet filtering. When I installed it, my mother started
> having problems connecting through VPN to her company (MAPICS). The
> connection starts fine, but after 5-10 minutes, it disconnects. I do not
> have this problem connecting to other VPN servers (such as to my
> employer) using her computer, so I know this is specific to their
> system. 
> 
> Previously, we were using a Linksys router, and it worked fine.
> 
> Now, my first idea was that the firewall was blocking a certain type of
> packet, thus causing the connection to be terminated. However, running
> tcpdump on the internal and external interfaces show that everything is
> passing through nicely.
> 
> Of note is that every time, right before the disconnect, their VPN
> server sends a PPTP Echo-Request to her client. The response from her
> client is a TCP RST, and the connection is terminated. I have verified
> this repeatedly, and this is the case every time. However, there are
> dozens of other times during the connection where a PPTP Echo-Request is
> sent from their server, and her client responds with the correct PPTP
> Echo-Reply, and they respond with a TCP ACK on that reply. In other
> words, the echo handshake goes back and forth several times throughout
> the connection, correctly, and at one of them her client decides not to
> reply, and simply RST the connection. I've examined the packets
> containing the Request from both a completed handshake and from the
> terminated one, and they both appear to be identical, excluding sequence
> numbers and acknowledgment numbers.
> 
> I'm attaching packet captures from ethereal in the libpcap format--one
> from the perspective of the internal interface, and one from the
> external. These are pre-filtered, so they contain *all* network traffic
> at the time, so I'm positive that nothing that could identify the
> problem is left out. The VPN server is 208.217.85.63, and her client is
> 192.168.1.102. It's over a PPTP connection, with a Windows-based VPN
> server--I'm guessing Windows 2000 Server.
> 
> If anyone could help me discover what the problem is, or point me in the
> direction of someone who could, I would be *extremely* grateful.
-- 
Stephen Touset <stephen@touset.org>

[-- Attachment #1.2: packets.ext --]
[-- Type: application/octet-stream, Size: 54829 bytes --]

[-- Attachment #1.3: packets.int --]
[-- Type: application/octet-stream, Size: 68763 bytes --]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Problems w/ Linux firewall and Windows VPN

[Stephen Touset]

[-- Attachment #1: Type: text/plain, Size: 2551 bytes --]

Seeing as I forgot to attach the packet output, they can be found at https://touset.org/packets.ext and https://touset.org/packets.int.

On Thu, 2004-01-01 at 20:36, Stephen Touset wrote:
> I've recently set up a firewall in our house, running Debian. It's using
> iptables to do packet filtering. When I installed it, my mother started
> having problems connecting through VPN to her company (MAPICS). The
> connection starts fine, but after 5-10 minutes, it disconnects. I do not
> have this problem connecting to other VPN servers (such as to my
> employer) using her computer, so I know this is specific to their
> system. 
> 
> Previously, we were using a Linksys router, and it worked fine.
> 
> Now, my first idea was that the firewall was blocking a certain type of
> packet, thus causing the connection to be terminated. However, running
> tcpdump on the internal and external interfaces show that everything is
> passing through nicely.
> 
> Of note is that every time, right before the disconnect, their VPN
> server sends a PPTP Echo-Request to her client. The response from her
> client is a TCP RST, and the connection is terminated. I have verified
> this repeatedly, and this is the case every time. However, there are
> dozens of other times during the connection where a PPTP Echo-Request is
> sent from their server, and her client responds with the correct PPTP
> Echo-Reply, and they respond with a TCP ACK on that reply. In other
> words, the echo handshake goes back and forth several times throughout
> the connection, correctly, and at one of them her client decides not to
> reply, and simply RST the connection. I've examined the packets
> containing the Request from both a completed handshake and from the
> terminated one, and they both appear to be identical, excluding sequence
> numbers and acknowledgment numbers.
> 
> I'm attaching packet captures from ethereal in the libpcap format--one
> from the perspective of the internal interface, and one from the
> external. These are pre-filtered, so they contain *all* network traffic
> at the time, so I'm positive that nothing that could identify the
> problem is left out. The VPN server is 208.217.85.63, and her client is
> 192.168.1.102. It's over a PPTP connection, with a Windows-based VPN
> server--I'm guessing Windows 2000 Server.
> 
> If anyone could help me discover what the problem is, or point me in the
> direction of someone who could, I would be *extremely* grateful.
-- 
Stephen Touset <stephen@touset.org>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: Problems w/ Linux firewall and Windows VPN

[Stephen Touset]

[-- Attachment #1: Type: text/plain, Size: 5635 bytes --]

On Fri, 2004-01-02 at 08:51, Sneppe Filip wrote:
> Hi Stephen,
>  
> I am replying privately because I currently have only MS Outlook Web
> Access to my
> mailbox and hence am replying with html mail. My appologies. I don't
> want to annoy
> the list with this, so ...

Fair 'nuff ;)
 
> What IP adress and subnet mask is your mother getting from the pptp
> server ?

She gets an IP in the 10.0.58.0/24 range it seems. I just tried now, and
her IP address was 10.0.58.101, with a subnet mask of 255.255.255.255.

> Are you using dhcp on your local subnet (192.168.0.0/16 or whatever).

Yes.
 
> After a quick peek at the captures, some intriguing things are:
>  
> - the dhcp traffic that needs several attempts on the local network.

Yeah--I'm currently in the process of adding things to the network.
Right now, my firewall is handing out DHCP leases. However, there's an
awkward interaction between iptables and DHCP. I'm not quite sure what's
causing it. Want a copy of my iptables script?

>   It should be interesting to use a static ip address 192.168.1.102
> just to
>   test.

I'll try that in a few minutes. Thanks for the suggestion.

> - more intriguing: after the tunnel is set up, after you've renewed
> your dhcp
>   address 192.168.1.102, your mother's machine repeatedly tries to
>   contact 10.... addresses (dns and kerberos servers), but there is no
>   reply. I assume those are IP adresses from your mother's company's
> network ?

They seem to be.

>   The internal and external capture show that this traffic is not
> going through the
>   pptp tunnel.

You know, I'd noticed that but no flags had popped up in my head. I
should have realized that that sort of traffic ought to be in the GRE
tunnel.

>   I think this may be the cause to your (mother's) problems.
>   Could this be because your mother's computer is not using the 
>   gateway given by the pptp server to route packets to the 10....
> network ?

You know, that sounds awfully feasible. The tunnel is being connected,
she refreshes the DHCP lease, and then traffic supposed to go through
the tunnel starts going through our gateway rather than her PPTP one.

>   Can you go to the properties of the pptp connection of your mother's
> machine,
>   then go to the "networking" tab, select "tcp/ip" and click on
> "properties".
>   then click on "advanced". there, on the general tab, does it say
> "use default gateway
>   on remote network" ?

It does.
 
>   This setting may be the cause of your problems.

Alright, I'll give that a whirl, too.
 
>   If not, can you give a little more info, like the output
> fro; "ipconfig /all" and 
>   "route print" when you've established a pptp tunnel.

C:\Documents and Settings\stouset>ipconfig /all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : STouset-W2KHT
        Primary DNS Suffix  . . . . . . . : usatlnt.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : mapics.com

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : advlog.com
        Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI
TX NIC
(3C905B-TX) #3
        Physical Address. . . . . . . . . : 00-10-5A-0C-25-E0
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.102
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 205.152.37.254
                                            205.152.144.235
        NetBIOS over Tcpip. . . . . . . . : Disabled
        Lease Obtained. . . . . . . . . . : Friday, January 02, 200
3:29:19 PM
        Lease Expires . . . . . . . . . . : Friday, January 02, 200
3:39:19 PM

C:\Documents and Settings\stouset>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0xf000003 ...00 10 5a 0c 25 e0 ...... 3Com EtherLink PCI
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface
Metric
          0.0.0.0          0.0.0.0      192.168.1.1  192.168.1.102      
1
        127.0.0.0        255.0.0.0        127.0.0.1      127.0.0.1      
1
      192.168.1.0    255.255.255.0    192.168.1.102  192.168.1.102      
1
    192.168.1.102  255.255.255.255        127.0.0.1      127.0.0.1      
1
    192.168.1.255  255.255.255.255    192.168.1.102  192.168.1.102      
1
        224.0.0.0        224.0.0.0    192.168.1.102  192.168.1.102      
1
  255.255.255.255  255.255.255.255    192.168.1.102  192.168.1.102      
1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\stouset>

> Hope this helps somehow. Either way, the packets going to the 10....
> network
> via the internet is definately something wrong you want to have
> fixed...

I appreciate the help. I'm CCing it back to the Debian list, so others
will have a chance to see this.

-- 
Stephen Touset <stephen@touset.org>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]