pptp patch

pptp patch

[Hill, John]

For the record netfilter is a terrific tool. I am grateful for the time and
hard work given by the netfilter team.


I have kernel 2.4.21 netfilter - latest cvs.

Built netfilter for extra added pptp support.

Recompiled kernel -- netfilter.

I have a win2000 pptp server behind a Linux firewall

Dnat gre and port 1723 to the pptp server.

I had 3 VPN connections working. When one closed the connection the kernel
panicked and died. I could not recover the error message. I was forced to
power off.


I have used 2.4.19 with Brian Kuschak's 2.4.19 pptp patch without problems.
He no longer supports the patch. I was hoping to upgrade the kernel.
Unfortunately the 2.4.19 patch will not work on 2.4.21 and the pptp
netfilter patch will not work for me. I had to roll back to 2.4.19.

I have several firewall installations and need PPTP and the ability to keep
kernels current.

Has anyone looked at Brian's code to see if it is practical to be
incorporated by the netfilter team? 

Any help would be appreciated.


--John Hill

RE: pptp patch

[Rowan Reid]

> 
> I have kernel 2.4.21 netfilter - latest cvs.
> 
> Built netfilter for extra added pptp support.
> 
> Recompiled kernel -- netfilter.
> 
> I have a win2000 pptp server behind a Linux firewall

Well having gone yrou route here is my 2 cents. 

A.) if your not married to pptp then setup a freeswan vpn on your
firewall  freeswan accepts connection from pretty much any other vpn
including windows2000. sorry pptp not included. I think it's generally
accepted that pptp is out the door.

B.) if you are married to pptp wait until a stable version has been
released with netfilter. It's not wise to play with beta/experimental
software on sensitive information.   To the best of my knowledge pptp
can nly handle one connection at a time with the current patch. This is
per the netfilter website.


> 
> I had 3 VPN connections working. When one closed the 
> connection the kernel panicked and died. I could not recover 
> the error message. I was forced to power off.

re: pptp patch

[Gary Cote]

John,

I also need to to route pptp traffic through a box with 
recent kernel revisions (2.4.20-18.7 for me at the moment). 
The linux box is neither the pptp client nor server. It's 
just a router/NAT. Would you be so kind as to forward 
anything you might find out over to me? Once I know your
address, I'll do the same.

(sorry for the "me too" post on the list, but I subscribed
 to the group after your posting, and the archive masks out 
 email addresses.)

A couple questions:

. Am I correct in understanding that there are two pptp
  patches out there? One against the latest netfilter
  sources, and the John Hardin/Brian Kushak patch against
  earlier revisions?
  . Is the first one the patch-o-matic extra/pptp-conntrack-nat.patch?

. You said Brian Kushak's 2.4.19 patch won't work against 
  2.4.21. Do you simply mean that patch reported errors, 
  or have you looked into what it would take to port the
  patch to recent kernels? I've taken a quick look through
  it and saw the code has been redesigned in some spots,
  so it's not a simple cut-and-paste job. If it's already
  known to be a lost cause, then I won't waste any more time
  looking at it.

. Your post said you built 2.4.21 netfilter with pptp support.
  I guess this refers back to my first question. Are you
  referring to the pptp-conntrack-nat.patch?

Once I get my head screwed on straight about all this stuff,
and figure out what ground's already been covered, maybe we
can figure out how to get it to work for both of us.

thanks

RE: pptp patch

[Rowan Reid]

> . Your post said you built 2.4.21 netfilter with pptp support.
>   I guess this refers back to my first question. Are you
>   referring to the pptp-conntrack-nat.patch?
> 

http://netfilter.org/documentation/pomlist/pom-extra.html#pptp-conntrack
-nat

pptp-conntrack-nat [pptp-conntrack-nat.patch]
[pptp-conntrack-nat.patch.config.in]
[pptp-conntrack-nat.patch.configure.help]
[pptp-conntrack-nat.patch.help] [pptp-conntrack-nat.patch.makefile] 
Author: Harald Welte <laforge@gnumonks.org>
Status: Beta

This adds CONFIG_IP_NF_PPTP:
Connection tracking and NAT support for PPTP.

Note that this code currently has limitations
- can only NAT connections from PNS to PAC
- doesnt' support multiple calls within one session

Re: pptp patch

[Philip Craig]

Hill, John wrote:
> I had 3 VPN connections working. When one closed the connection the kernel
> panicked and died. I could not recover the error message. I was forced to
> power off.

If you can follow linux/Documentation/oops-tracing.txt to get the panic
info then this will greatly help debug it.  Otherwise one of the
developers will have to try to reproduce this.


> Has anyone looked at Brian's code to see if it is practical to be
> incorporated by the netfilter team? 

Brian's code has not been maintained for quite a while.  The main reason
that it no longer works for 2.4.21 is that it doesn't support the newnat
framework.  It also has some other design problems.

In theory the current PPTP patch should support everything that Brian's
did, plus a bit more, and the code is also cleaner.  It would be better
to try to get the current PPTP patch to work for you than to try to port
Brian's patch to 2.4.21.

We have 2.4.20 based products for which the current PPTP patch functions
perfectly.  I haven't tried with 2.4.21, but I expect to in the upcoming
weeks.  It is possible that the patch no longer works for 2.4.21.  If you
have time, you could try 2.4.20 to see if this is the case.

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances

pptp patch

[Patrick Mauritz]

hello,

I have a problem with the pptp patch from latest p-o-m, trying to
forward external pptp clients to a firewalled pptp server (win2k server).

clients <-> router <-> win2k server


iptables setup on router:

ip_{nat,conntrack}_{proto_gre,pptp} are loaded,
1723 is DNATed from external to the server
MASQUERADE is any to any

when trying to connect to the server, the connection is dropped after 115 to 119 seconds.

the connection lasts longer when I DNAT GRE protocol manually (and withou the pptp helpers), though that obviously only works for one user at a time.


I have no idea what further information I could provide, but I'll provide everything asked for. please Cc: as I'm not on the list.

TIA,
patrick mauritz

Re: PPTP Patch

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 629 bytes --]

On Fri, Oct 31, 2003 at 09:59:25AM -0800, Aaron Gray wrote:
> Harald,
> 

> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables: Invalid argument

http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.20

> thank you.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

PPTP patch

[John HIll]

When I compile any kernel 2.6.11.x-2.6.12.x I get an error:
ip_conntrack_pptp.ko needs unknown symbol __ip_conntrack_expect_find .

I searched all over Google and netfilter I found another person with the
same problem but no replies.

Thanks

--john

-- 
This mail was scanned by AntiVir Milter.
This product is licensed for non-commercial use.
See www.antivir.de for details.

Re: PPTP patch

[Phil Oester]

On Tue, Oct 25, 2005 at 03:22:57PM -0500, John HIll wrote:
> 
> When I compile any kernel 2.6.11.x-2.6.12.x I get an error:
> ip_conntrack_pptp.ko needs unknown symbol __ip_conntrack_expect_find .
> 
> I searched all over Google and netfilter I found another person with the
> same problem but no replies.

Try using 2.6.14 when it is released (or use -rc5 if you prefer not to wait)

Phil

Re: PPTP patch

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 980 bytes --]

On Tue, Oct 25, 2005 at 03:22:57PM -0500, John HIll wrote:
> 
> When I compile any kernel 2.6.11.x-2.6.12.x I get an error:
> ip_conntrack_pptp.ko needs unknown symbol __ip_conntrack_expect_find .
> 
> I searched all over Google and netfilter I found another person with the
> same problem but no replies.

sorry, we don't support any other kernels but the latest released stable
version anymore.   Backporting fixes/code/... is just eating up way too
much valuable development time, sorry.

So unless you find someone who will do the backport, there is little
chance you will get it working.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]