Help! problem with PPTPD and pptp nat helper

Help! problem with PPTPD and pptp nat helper

[__ Radien__]

Guys

  I have problem in having 

	- kernel 2.4(Fedora Core 1) + ip_nat_pptp (in patch-o-matic 20040406)
loaded with
	- running pptpd 1.2.1 

Server Side Configuration:
-Linux 2.4 Fedora Core 1, patched by pptp-conntrack-nat properly(tested
for proper NAT + ConnectionTracking on multiple 

PPTP-Tunnel sessions)
-iptables 1.2.11 patched the same as kernel
-pptpd 1.2.1
-ppp 2.4.3 cvs20040527.4
-lsmod output:
===================================
Module                  Size  Used by    Not tainted
ip_nat_pptp             3308   0  (unused)
ip_conntrack_pptp       4304   1  [ip_nat_pptp]
ip_conntrack_proto_gre    4852   0  [ip_nat_pptp ip_conntrack_pptp]
ppp_mppe               14040   0  (autoclean)
ppp_async               9888   0  (autoclean)
ppp_generic            27584   0  (autoclean) [ppp_mppe ppp_async]
slhc                    6844   0  (autoclean) [ppp_generic]
autofs                 13780   0  (autoclean) (unused)
iptable_filter          2412   0  (autoclean) (unused)
pcnet32                18464   1
mii                     4124   0  [pcnet32]
ip_nat_ftp              4048   0  (unused)
ip_conntrack_ftp        5584   1  [ip_nat_ftp]
iptable_nat            23352   2  (autoclean) [ip_nat_pptp ip_nat_ftp]
ip_conntrack           33032   4  (autoclean) [ip_nat_pptp
ip_conntrack_pptp ip_conntrack_proto_gre ip_nat_ftp 

ip_conntrack_ftp iptable_nat]
ip_tables              16544   4  [iptable_filter iptable_nat]
floppy                 58908   0  (autoclean)
sg                     37612   0  (autoclean) (unused)
microcode               5024   0  (autoclean)
keybdev                 2976   0  (unused)
mousedev                5688   0  (unused)
hid                    24772   0  (unused)
input                   6208   0  [keybdev mousedev hid]
usb-uhci               27468   0  (unused)
usbcore                82912   1  [hid usb-uhci]
ext3                   74148   2
jbd                    56560   2  [ext3]
BusLogic              101084   0
sd_mod                 13740   0  (unused)
scsi_mod              112232   3  [sg BusLogic sd_mod]
===================================

Client Side configuration:
Win2k3 VPN Client set to support any encryption - optional - and any
username/password authentication method

  when I try to dig a PPTP-VPN tunnel to this machine, using a pptp
client software, I get error messages and connection 

fails:

Client Side error:

  "Error 619: A connection to the remote computer could not be
established, so the port used for this connection was closed."

Server Side error:
(/var/log/messages on the Server)
=====================================
Dec 21 17:09:38 server pptpd[17740]: CTRL: Client 192.168.0.101 control
connection started
Dec 21 17:09:38 server pptpd[17740]: CTRL: Starting call (launching
pppd, opening GRE)
Dec 21 17:09:38 server kernel: application bug: pppd(17741) has SIGCHLD
set to SIG_IGN but calls wait().
Dec 21 17:09:38 server kernel: (see the NOTES section of 'man 2 wait').
Workaround activated.
Dec 21 17:09:38 server pppd[17741]: pppd 2.4.3 started by root, uid 0
Dec 21 17:09:38 server pppd[17741]: Using interface ppp0
Dec 21 17:09:38 server pppd[17741]: Connect: ppp0 <--> /dev/pts/1
Dec 21 17:10:09 server pppd[17741]: LCP: timeout sending Config-Requests
Dec 21 17:10:09 server pppd[17741]: Connection terminated.
Dec 21 17:10:09 server pppd[17741]: Exit.
Dec 21 17:10:09 server pptpd[17740]: GRE:
read(fd=5,buffer=804e6e0,len=8196) from PTY failed: status = -1 error =


Input/output error, usually caused by unexpected termination of pppd,
check option syntax and pppd logs
Dec 21 17:10:09 server pptpd[17740]: CTRL: PTY read or GRE write failed
(pty,gre)=(5,6)
Dec 21 17:10:09 server pptpd[17740]: CTRL: Client 192.168.0.101 control
connection finished

=====================================

/var/log/ppp/pppd.log
=====================================
==> /var/log/ppp/pppd.log <==
using channel 29
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic
0xab867b16> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x347a73ef> <pcomp> <accomp>
<callback CBCP>]
sent [LCP ConfRej id=0x0 <callback CBCP>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x347a73ef> <pcomp> <accomp>
<callback CBCP>]
sent [LCP ConfRej id=0x1 <callback CBCP>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic
0xab867b16> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x2 <mru 1400> <magic 0x347a73ef> <pcomp> <accomp>
<callback CBCP>]
sent [LCP ConfRej id=0x2 <callback CBCP>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic
0xab867b16> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x3 <mru 1400> <magic 0x347a73ef> <pcomp> <accomp>
<callback CBCP>]
sent [LCP ConfRej id=0x3 <callback CBCP>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic
0xab867b16> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic
0xab867b16> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x4 <mru 1400> <magic 0x347a73ef> <pcomp> <accomp>
<callback CBCP>]
sent [LCP ConfRej id=0x4 <callback CBCP>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic
0xab867b16> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x5 <mru 1400> <magic 0x347a73ef> <pcomp> <accomp>
<callback CBCP>]
sent [LCP ConfRej id=0x5 <callback CBCP>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic
0xab867b16> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x6 <mru 1400> <magic 0x347a73ef> <pcomp> <accomp>
<callback CBCP>]
sent [LCP ConfRej id=0x6 <callback CBCP>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic
0xab867b16> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic
0xab867b16> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x7 <mru 1400> <magic 0x347a73ef> <pcomp> <accomp>
<callback CBCP>]
sent [LCP ConfRej id=0x7 <callback CBCP>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic
0xab867b16> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x8 <mru 1400> <magic 0x347a73ef> <pcomp> <accomp>
<callback CBCP>]
sent [LCP ConfRej id=0x8 <callback CBCP>]
LCP: timeout sending Config-Requests
Connection terminated.
=====================================


==>Interesting part is, If I unload "ip_nat_pptp" module then connection
will be established well with no errors.<==

The configuration files, /etc/pptpd.conf and /etc/ppp/option.pptpd and
/etc/ppp/options were tested to work properly - with 

the above configurations but with the original (not patched) kernel and
iptables!

Anyone can help please?

TIA

RE: Help! problem with PPTPD and pptp nat helper

[Gary W. Smith]

<cut from an earlier thread>

>trying to connect to a server which is itself behind a router and NAT'd

You mentioned that you applied the conntrack patch.  Did you do this on
both the firewalls?  I have had success with the following.  Note that I
have disabled ip_nat_pptp.  If I load ip_nat_pptp then only one person
can connect and on the first time only.  Subsequent attempts fail.  I
have asked but received no feedback on this as well.  But hopefully this
will help you as well.

Anyways, here's what I run and the order that I run them in.  The
firewall currently has two active incoming connections I did test
multiple outgoing connections when I configured it.  

/etc/rc.d/rc.local:
/sbin/modprobe ip_conntrack_proto_gre
/sbin/modprobe ip_conntrack_pptp
/sbin/modprobe ip_nat_proto_gre
#/sbin/modprobe ip_nat_pptp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_mms
/sbin/modprobe ip_nat_mms
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_TARPIT
/sbin/modprobe ip_gre
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat


Gary Smith

Help! problem with PPTPD and pptp nat helper

[Radien Radien]

But based on netfilter pom-ng documentation its needed for NAT working properly

http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-pptp-conntrack-nat

I have great successfull experiment using these 4 p-o-m modules, they
work perfect in my cases multiple session for DNAT and SNAT even both
at the same time. But when the last one is loaded part of pptpd(when
uses pppd) cannot negotiate using LCP, it seems so in logfiles. And if
I unload it, pptpd works fine!!

#This adds CONFIG_IP_NF_PPTP:
#Connection tracking and NAT support for PPTP.  Using this, you can track
#PPTP/GRE connections and do SNAT/DNAT.  You have to load the following modules
#for connection tracking:
#       ip_conntrack_proto_gre
#       ip_conntrack_pptp
#for NAT:
#       ip_nat_proto_gre
#       ip_nat_pptp
#

It seems to be a conflict of using ppp, with ip_nat_pptp module and pptpd.

-------------------------------------------------------------------------------------------------------

>trying to connect to a server which is itself behind a router and NAT'd

You mentioned that you applied the conntrack patch.  Did you do this on
both the firewalls?  I have had success with the following.  Note that I
have disabled ip_nat_pptp.  If I load ip_nat_pptp then only one person
can connect and on the first time only.  Subsequent attempts fail.  I
have asked but received no feedback on this as well.  But hopefully this
will help you as well.

Anyways, here's what I run and the order that I run them in.  The
firewall currently has two active incoming connections I did test
multiple outgoing connections when I configured it.

/etc/rc.d/rc.local:
/sbin/modprobe ip_conntrack_proto_gre
/sbin/modprobe ip_conntrack_pptp
/sbin/modprobe ip_nat_proto_gre
#/sbin/modprobe ip_nat_pptp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_mms
/sbin/modprobe ip_nat_mms
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_TARPIT
/sbin/modprobe ip_gre
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
Gary Smith

RE: Help! problem with PPTPD and pptp nat helper

[Gary W. Smith]

I found an oddity while experimenting with ip_nat_pptp.  If it's loaded I cannot make an outgoing pptp call from the server.  If I unload it will make the call just fine.  After the call has been established I can then reload the module and then connect from workstations.
 
If a workstation is connected to an external VPN it's connection is not broken.  Another oddity is that lsmod shows that module loaded, but not being used even when there are multiple active conenctions behind the firewall.
 
I'm still looking for a better solution to this problem.  The temporary work around is to script the outgoing pptp calls with an rmmod and modprobe before and after.
 
Gary Smith
 

________________________________

From: netfilter-bounces@lists.netfilter.org on behalf of Radien Radien
Sent: Sun 12/26/2004 4:15 AM
To: netfilter@lists.netfilter.org
Subject: Help! problem with PPTPD and pptp nat helper



But based on netfilter pom-ng documentation its needed for NAT working properly

http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-pptp-conntrack-nat

I have great successfull experiment using these 4 p-o-m modules, they
work perfect in my cases multiple session for DNAT and SNAT even both
at the same time. But when the last one is loaded part of pptpd(when
uses pppd) cannot negotiate using LCP, it seems so in logfiles. And if
I unload it, pptpd works fine!!

#This adds CONFIG_IP_NF_PPTP:
#Connection tracking and NAT support for PPTP.  Using this, you can track
#PPTP/GRE connections and do SNAT/DNAT.  You have to load the following modules
#for connection tracking:
#       ip_conntrack_proto_gre
#       ip_conntrack_pptp
#for NAT:
#       ip_nat_proto_gre
#       ip_nat_pptp
#

It seems to be a conflict of using ppp, with ip_nat_pptp module and pptpd.

Re: Help! problem with PPTPD and pptp nat helper

[Radien Radien]

Dear Gary

  No it is solved yet. I'm just very busy with my works and could not
spend alot of time on this issue so I prefered to complete other works
and then comeback with more time to spend on PoPToP and ip_nat_pptp
incompatibility problem.

  I also sent an email to the athor of the p-o-m module of
conntrack_pptp, but no responses yet.

Best Regards
Radien

On Wed, 12 Jan 2005 22:41:06 -0800, Gary W. Smith <gary@primeexalia.com> wrote:
> Did you ever resolve this?  It has started to fail and I can't keep the
> tunnel open properly when our remote clients are in the office.
> 
> Gary Wayne Smith
> 
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Radien
> Radien
> Sent: Sunday, December 26, 2004 4:16 AM
> To: netfilter@lists.netfilter.org
> Subject: Help! problem with PPTPD and pptp nat helper
> 
> But based on netfilter pom-ng documentation its needed for NAT working
> properly
> 
> http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-pptp-con
> ntrack-nat
> 
> I have great successfull experiment using these 4 p-o-m modules, they
> work perfect in my cases multiple session for DNAT and SNAT even both
> at the same time. But when the last one is loaded part of pptpd(when
> uses pppd) cannot negotiate using LCP, it seems so in logfiles. And if
> I unload it, pptpd works fine!!
> 
> #This adds CONFIG_IP_NF_PPTP:
> #Connection tracking and NAT support for PPTP.  Using this, you can
> track
> #PPTP/GRE connections and do SNAT/DNAT.  You have to load the following
> modules
> #for connection tracking:
> #       ip_conntrack_proto_gre
> #       ip_conntrack_pptp
> #for NAT:
> #       ip_nat_proto_gre
> #       ip_nat_pptp
> #
> 
> It seems to be a conflict of using ppp, with ip_nat_pptp module and
> pptpd.
> 
> ------------------------------------------------------------------------
> -------------------------------
> 
> >trying to connect to a server which is itself behind a router and NAT'd
> 
> You mentioned that you applied the conntrack patch.  Did you do this on
> both the firewalls?  I have had success with the following.  Note that I
> have disabled ip_nat_pptp.  If I load ip_nat_pptp then only one person
> can connect and on the first time only.  Subsequent attempts fail.  I
> have asked but received no feedback on this as well.  But hopefully this
> will help you as well.
> 
> Anyways, here's what I run and the order that I run them in.  The
> firewall currently has two active incoming connections I did test
> multiple outgoing connections when I configured it.
> 
> /etc/rc.d/rc.local:
> /sbin/modprobe ip_conntrack_proto_gre
> /sbin/modprobe ip_conntrack_pptp
> /sbin/modprobe ip_nat_proto_gre
> #/sbin/modprobe ip_nat_pptp
> /sbin/modprobe ip_conntrack_irc
> /sbin/modprobe ip_nat_irc
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
> /sbin/modprobe ip_conntrack_mms
> /sbin/modprobe ip_nat_mms
> /sbin/modprobe ipt_LOG
> /sbin/modprobe ipt_TARPIT
> /sbin/modprobe ip_gre
> /sbin/modprobe ipt_MASQUERADE
> /sbin/modprobe ip_conntrack
> /sbin/modprobe iptable_nat
> Gary Smith
> 
> 


-- 
__ Radien__