Linux Netfilter discussions
 help / color / mirror / Atom feed
* GRE/PPTP
@ 2003-09-01 12:02 Jamie Vuyk
  2003-09-04 12:14 ` GRE/PPTP Pass-through problems Wim Ceulemans
  2003-09-12  2:04 ` GRE/PPTP Philip Craig
  0 siblings, 2 replies; 7+ messages in thread
From: Jamie Vuyk @ 2003-09-01 12:02 UTC (permalink / raw)
  To: netfilter

This is a followup on an older question regarding passing through a VPN
that I couldn't see a resolution for.  I have done a whole heap of
searching around the net and there are conflicting opinions.  I would be
nice to get a firm answer...

( http://lists.netfilter.org/pipermail/netfilter/2002-June/035176.html
<http://lists.netfilter.org/pipermail/netfilter/2002-June/035176.html> )

 

Basically there are two aspects to my problems:

1)       Does the standard kernel (RH 2.4.18) need to be patched in any
way in order to PASS THROUGH proto 47 (GRE) to an internal server?  Im
running a simply iptables firewall which I want to pass an external VPN
connection through to an internal server.  As I understand if I want
Linux to terminate the PPTP VPN I need a patch, if I want it to pass
through I don't.  However I am having a lot of trouble getting this to
work and I would like to know if Im on the right track.  Also note that
the firewall is masquerading all connections.

 

2)       I have setup my firewall to allow and forward the 1723 to my
internal server.  This appears to work but the external Win2k box gets
stuck on "verifying username and password".  This eventually times out
with "disconnected".  A simple test was to Telnet to port 1723.
Although there is no response as such from the server (expected) it does
connect both internally and externally.  At what point does the 1723
data exchange end and the "payload" as such start on the GRE protocol?
Is GRE involved in the 'verifying username and password' stage or is
that still TCP on 1723?

 

If you could get some basic info I maybe able to troubleshoot this and
get it operational.

Cheers for you help.

J

 

 

 

 



^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: GRE/PPTP Pass-through problems
@ 2003-09-04 13:57 jimbo jones
  0 siblings, 0 replies; 7+ messages in thread
From: jimbo jones @ 2003-09-04 13:57 UTC (permalink / raw)
  To: wim.ceulemans; +Cc: netfilter

Hi,
Thanks for your reply re: my problem.

probably the most important thing you can tell me is if I have to appy any 
patches or modules in order to make this work.  There is a heck of alot of 
differing opinions on the various forums and im not sure which way to turn.  
I just want to rule this out knowing that it is essentially native in a 
standard kernel and it should be just a configuration issue.

Cheers
Jamie


>From: Wim Ceulemans <wim.ceulemans@able.be>
>To: Jamie Vuyk <jvuyk@jacobson.co.uk>
>CC: netfilter@lists.netfilter.org
>Subject: Re: GRE/PPTP Pass-through problems
>Date: Thu, 04 Sep 2003 14:14:57 +0200
>
>Hi
>
>I had the same problems with GRE not passing through to a server behind the 
>firewall.
>I then used kernel 2.4.22 and the latest pom snapshot 
>(patch-o-matic-20030831) with iptables 1.2.8
>and gre passed through.
>
>However, after testing I notice now that although PPTP connections to a 
>win2000 server behind the
>firewall work, that the connection is not reliable. After 3 to 4 minutes 
>the connection is closed for
>some unknown reason and people have to re-establish the connection.
>
>Anyone experiencing this problem also?
>
>Regards
>Wim
>
>Jamie Vuyk wrote:
>
>>Hello,
>>
>>I hope this will be a simple post that can lay to rest what a lot of
>>people appear to be having trouble with.  I have read a massive amount
>>of posts all over the web and there seems to be much confusion in this
>>simple matter.
>>
>>
>>
>>Basically there are two aspects to my problems:
>>
>>1)       Does the standard kernel (RH 2.4.18) need to be patched in any
>>way in order to PASS THROUGH proto 47 (GRE) to an internal server?  Im
>>running a simply iptables firewall which I want to pass an external PPTP
>>VPN connection through to an internal server.  It is most important to
>>note that the firewall is masquerading all connections which I think is
>>where the confusion lies.  As I understand if I want Linux to terminate
>>the PPTP VPN I need a patch, if I want it to pass through I don't.
>>However I am having a lot of trouble getting this to work and I would
>>like to know if Im on the right track.
>>
>>
>>
>>2)     Given that I don't have to patch anything and it all should "just
>>work"... I have setup my firewall to allow and forward the 1723 to my
>>internal server.  This appears to work but the external Win2k box gets
>>stuck on "verifying username and password".  This eventually times out
>>with "disconnected".  A simple test was to Telnet to port 1723.
>>Although there is no response as such from the server (expected) it does
>>connect with a blank screen both internally and externally suggesting
>>the forwarding is working ok.  At what point does the 1723 data exchange
>>end and the "payload" as such start on the GRE protocol?  Is GRE
>>involved in the 'verifying username and password' stage or is that still
>>TCP on 1723?  Just so you are aware I have the rest of the firewall
>>fully operational with various port forwards etc that work fine.  It is
>>essentially only the VPN's that are giving me grief.
>>
>>
>>
>>If you could get some basic info I maybe able to troubleshoot this and
>>get it operational.
>>
>>Cheers in advance for you help.
>>
>>J
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>--
>Wim Ceulemans
>R&D Engineer
>
>Secure Internet Communication with aXs Guard
>
>Able NV
>Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium
>Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09
>E-mail: wim.ceulemans@able.be
>
>
>
>--
>Security check on this e-mail has been done by aXs GUARD
>(http://www.axsguard.com)
>

_________________________________________________________________
Use MSN Messenger to send music and pics to your friends 
http://www.msn.co.uk/messenger



^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: GRE/PPTP Pass-through problems
@ 2003-09-04 16:27 Jorge Armando Medina
  2003-09-04 18:27 ` Wim Werk
  0 siblings, 1 reply; 7+ messages in thread
From: Jorge Armando Medina @ 2003-09-04 16:27 UTC (permalink / raw)
  To: netfilter

I had the same problem, and I solved it putting in my options.pptpd
configuration file as follow:

lcp-echo-failure 30
lcp-echo-interval 5

This is to prevent timeouts in the client side, with the
lcp-echo-faliure  your server send echo request to the clients for
respons when are an idle time, so you can modify this parameter to a
higher value.


I hope this will solve your problem, well, It was enough for me.

regards.



^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2003-09-12  2:04 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-09-01 12:02 GRE/PPTP Jamie Vuyk
2003-09-04 12:14 ` GRE/PPTP Pass-through problems Wim Ceulemans
2003-09-04 16:04   ` Wim Ceulemans
2003-09-12  2:04 ` GRE/PPTP Philip Craig
  -- strict thread matches above, loose matches on Subject: below --
2003-09-04 13:57 GRE/PPTP Pass-through problems jimbo jones
2003-09-04 16:27 Jorge Armando Medina
2003-09-04 18:27 ` Wim Werk

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox