PPTP NAT

PPTP NAT

[Andrei-Florian Staicu]

Hello list,

I know that this isn't the first (or the last) time somebody asks you 
this, but is it currently possible to have two clients behind a  NAT, 
connecting to the same VPN (PPTP) server?
If the answer is in the list somewhere, a link would suffice. Since the 
mail list archive doesen't have searching capability, I wasn't able to 
find anything on the subject.

Thanks in advance for any info.

slackware 11.0, iptables 1.3.7, kernel 2.6.20

-- 
Andrei-Florian STAICU
Network administrator
Tel: (+40) 741.227.014
IPSO S.A.

pptp & NAT

[Sebastian Böhm]

Hi,

i finally got pptp and NAT working with the patch for bug #397 
<https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=397>.

Two questions left:

- sometimes (every 10th connection attempt or so) the connections fails 
with "GRE: read(fd=5,buffer=8056720,len=8260) from network failed: 
status = -1 error = Protocol
not available" reading in the server logs. I use windows clients with 
linux server. somewhere I read that I should load ip_gre on the firewall 
or block a specific icmp packet, is that correct ? (I dont like to block 
icmp, icmp is there for reason)

- I am unable to estabish two pptp connections from one client, I can 
connect to one pptp server and I can connect to a second pptp server, 
but the second connection never accepts any traffic, when I stop the 
first connection, the second connection begins to work. Is this a bug or 
a known missing feature ?


Thank you very much !

/sebastian

Re: pptp & NAT

[Philip Craig]

[-- Attachment #1: Type: text/plain, Size: 1035 bytes --]

On 11/04/2005 01:53 PM, Sebastian Böhm wrote:
> - sometimes (every 10th connection attempt or so) the connections fails 
> with "GRE: read(fd=5,buffer=8056720,len=8260) from network failed: 
> status = -1 error = Protocol
> not available" reading in the server logs. I use windows clients with 
> linux server. somewhere I read that I should load ip_gre on the firewall 
> or block a specific icmp packet, is that correct ? (I dont like to block 
> icmp, icmp is there for reason)

Please try the attached patch.  It has fixed a problem for someone else,
and I think this problem may be the same, but I'm not sure.

> - I am unable to estabish two pptp connections from one client, I can 
> connect to one pptp server and I can connect to a second pptp server, 
> but the second connection never accepts any traffic, when I stop the 
> first connection, the second connection begins to work. Is this a bug or 
> a known missing feature ?

This is intended to work.  I haven't personally tested it in
2.6.14 though.

[-- Attachment #2: pptp-2.6.14.patch --]
[-- Type: text/plain, Size: 2093 bytes --]

diff -u -p -u -r1.1.1.1 ip_nat_helper_pptp.c
--- linux-2.6.x/net/ipv4/netfilter/ip_nat_helper_pptp.c	28 Oct 2005 04:39:25 -0000	1.1.1.1
+++ linux-2.6.x/net/ipv4/netfilter/ip_nat_helper_pptp.c	3 Nov 2005 09:18:01 -0000
@@ -73,6 +73,7 @@ static void pptp_nat_expected(struct ip_
 	struct ip_conntrack_tuple t;
 	struct ip_ct_pptp_master *ct_pptp_info;
 	struct ip_nat_pptp *nat_pptp_info;
+	struct ip_nat_range range;
 
 	ct_pptp_info = &master->help.ct_pptp_info;
 	nat_pptp_info = &master->nat.help.nat_pptp_info;
@@ -110,7 +111,30 @@ static void pptp_nat_expected(struct ip_
 		DEBUGP("not found!\n");
 	}
 
-	ip_nat_follow_master(ct, exp);
+	/* This must be a fresh one. */
+	BUG_ON(ct->status & IPS_NAT_DONE_MASK);
+
+	/* Change src to where master sends to */
+	range.flags = IP_NAT_RANGE_MAP_IPS;
+	range.min_ip = range.max_ip
+		= ct->master->tuplehash[!exp->dir].tuple.dst.ip;
+	if (exp->dir == IP_CT_DIR_ORIGINAL) {
+		range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
+		range.min = range.max = exp->saved_proto;
+	}
+	/* hook doesn't matter, but it has to do source manip */
+	ip_nat_setup_info(ct, &range, NF_IP_POST_ROUTING);
+
+	/* For DST manip, map port here to where it's expected. */
+	range.flags = IP_NAT_RANGE_MAP_IPS;
+	range.min_ip = range.max_ip
+		= ct->master->tuplehash[!exp->dir].tuple.src.ip;
+	if (exp->dir == IP_CT_DIR_REPLY) {
+		range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
+		range.min = range.max = exp->saved_proto;
+	}
+	/* hook doesn't matter, but it has to do destination manip */
+	ip_nat_setup_info(ct, &range, NF_IP_PRE_ROUTING);
 }
 
 /* outbound packets == from PNS to PAC */
@@ -213,7 +237,7 @@ pptp_exp_gre(struct ip_conntrack_expect 
 
 	/* alter expectation for PNS->PAC direction */
 	invert_tuplepr(&inv_t, &expect_orig->tuple);
-	expect_orig->saved_proto.gre.key = htons(nat_pptp_info->pac_call_id);
+	expect_orig->saved_proto.gre.key = htons(ct_pptp_info->pns_call_id);
 	expect_orig->tuple.src.u.gre.key = htons(nat_pptp_info->pns_call_id);
 	expect_orig->tuple.dst.u.gre.key = htons(ct_pptp_info->pac_call_id);
 	inv_t.src.ip = reply_t->src.ip;

Re: pptp & NAT

[Matt Domsch]

On Fri, Nov 04, 2005 at 02:00:59PM +1000, Philip Craig wrote:
> Please try the attached patch.  It has fixed a problem for someone else,
> and I think this problem may be the same, but I'm not sure.

With this patch applied, it's working for me.

 
> > - I am unable to estabish two pptp connections from one client, I can 
> > connect to one pptp server and I can connect to a second pptp server, 
> > but the second connection never accepts any traffic, when I stop the 
> > first connection, the second connection begins to work. Is this a bug or 
> > a known missing feature ?
> 
> This is intended to work.  I haven't personally tested it in
> 2.6.14 though.

Using the endian fix patch and this patch (both are attached to bug
397), this is working for me on a 2.6.14 kernel (really, git HEAD from
yesterday plus these two patches).  I've got 2 clients, one WindowsXP,
one Fedora Core 4, hitting the same PPTP server at the same time.
Sincere thanks to both you and Harald for this effort!

Thanks,
Matt

Re: pptp & NAT

[Sebastian]

Am 05.11.2005 um 15:22 schrieb Matt Domsch:
>
>
>>> - I am unable to estabish two pptp connections from one client, I  
>>> can
>>> connect to one pptp server and I can connect to a second pptp  
>>> server,
>>> but the second connection never accepts any traffic, when I stop the
>>> first connection, the second connection begins to work. Is this a  
>>> bug or
>>> a known missing feature ?
>>
>> This is intended to work.  I haven't personally tested it in
>> 2.6.14 though.
>
> Using the endian fix patch and this patch (both are attached to bug
> 397), this is working for me on a 2.6.14 kernel (really, git HEAD from
> yesterday plus these two patches).  I've got 2 clients, one WindowsXP,
> one Fedora Core 4, hitting the same PPTP server at the same time.
> Sincere thanks to both you and Harald for this effort!
>

what is not working for is to connect two pptp-servers from one  
client machine!

/sebastian

Re: pptp & NAT

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1467 bytes --]

On Sat, Nov 05, 2005 at 11:48:18PM +0100, Sebastian wrote:
> 
> Am 05.11.2005 um 15:22 schrieb Matt Domsch:
> >>>- I am unable to estabish two pptp connections from one client, I  can
> >>>connect to one pptp server and I can connect to a second pptp  server,
> >>>but the second connection never accepts any traffic, when I stop the
> >>>first connection, the second connection begins to work. Is this a  bug or
> >>>a known missing feature ?
> >>This is intended to work.  I haven't personally tested it in
> >>2.6.14 though.
> >Using the endian fix patch and this patch (both are attached to bug
> >397), this is working for me on a 2.6.14 kernel (really, git HEAD from
> >yesterday plus these two patches).  I've got 2 clients, one WindowsXP,
> >one Fedora Core 4, hitting the same PPTP server at the same time.
> >Sincere thanks to both you and Harald for this effort!
> 
> what is not working for is to connect two pptp-servers from one  client machine!

that should work even without any helper.  could you please try with no
pptp helpers loaded and verify it works?

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: PPTP NAT

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1135 bytes --]

On Fri, Jan 17, 2003 at 04:32:49PM +0000, Colin Simpson wrote:
> Sorry to annoy you about this but I'm having real problems with the
> pptp-conntrack-net netfilter patch. I have tried looking around the web
> but no one seems to talk much about how to fix this.
> 
> I have patched with patch-o-matic the 2.4.20 kernel. It seems to apply
> ok and build. But I now get the following when I try to apply any SNAT
> rule
> 
> iptables -t nat -p tcp -A POSTROUTING -s 192.168.77.0/24 -j SNAT
> --to-source 80.195.55.115:1024-65535
> iptables v1.2.7a: Unknown arg `--to-source'
> Try `iptables -h' or 'iptables --help' for more information.
> 
> Am I missing something?

yes, you need to rebuild the iptables userspace package, since the size
of some NAT related structures have changed.

> Colin Simpson
> Network Manager

-- 
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
"If this were a dictatorship, it'd be a heck of a lot easier, just so long
 as I'm the dictator."  --  George W. Bush Dec 18, 2000

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]