PPTP connection attempts fail with ip_nat_pptp loaded

PPTP connection attempts fail with ip_nat_pptp loaded

[Jordan Russell]

Hello,

Seeing PPTP NAT support in the 2.6.14 kernel was a very pleasant
surprise -- I've been waiting years for a successor to the
no-longer-maintained
http://www.impsec.org/linux/masquerade/ip_masq_vpn.html -- but after
hours of tinkering I haven't had any luck in getting it to work.

When ip_nat_pptp isn't loaded, everything works fine.

When ip_nat_pptp is loaded (via "modprobe ip_nat_pptp"), about 9 out of
every 10 PPTP connection attempts hang and eventually time out.

I'm connecting from a Windows 2000 machine through a Linux 2.6.14
NAT/firewall box to a Poptop PPTP server on the Internet.

When the connection attempt is made on the Windows 2000 machine, it
stops at "Verifying user name and password", then times out after about
30 seconds.

On the Linux 2.6.14 box, here's what tethereal shows during the failed
connection attempt (eth1 is the Internet-connected interface):


# tethereal -ni eth1 host pptp-server
Capturing on eth1
  0.000000 firewall -> pptp-server TCP 1942 > 1723 [SYN] Seq=0 Ack=0
Win=65535 Len=0 MSS=1460
  0.014912 pptp-server -> firewall TCP 1723 > 1942 [SYN, ACK] Seq=0
Ack=1 Win=5840 Len=0 MSS=1460
  0.015048 firewall -> pptp-server TCP 1942 > 1723 [ACK] Seq=1 Ack=1
Win=65535 Len=0
  0.015092 firewall -> pptp-server PPTP Start-Control-Connection-Request
  0.032906 pptp-server -> firewall TCP 1723 > 1942 [ACK] Seq=1 Ack=157
Win=5840 Len=0
  0.037927 pptp-server -> firewall PPTP Start-Control-Connection-Reply
  0.038115 win2k -> pptp-server PPTP Outgoing-Call-Request
  2.390464 firewall -> pptp-server PPTP Outgoing-Call-Request
  2.415487 pptp-server -> firewall PPTP Outgoing-Call-Reply
  2.417455 pptp-server -> firewall PPP LCP Configuration Request
  2.418014 firewall -> pptp-server PPTP Set-Link-Info
  2.421762 firewall -> pptp-server PPP LCP Configuration Request
  2.442501 pptp-server -> firewall PPP LCP Configuration Reject
  2.480567 pptp-server -> firewall TCP 1723 > 1942 [ACK] Seq=189 Ack=349
Win=5840 Len=0
  4.421785 firewall -> pptp-server PPP LCP Configuration Request
  4.435233 pptp-server -> firewall PPP LCP Configuration Reject
  5.422681 pptp-server -> firewall PPP LCP Configuration Request
  7.421689 firewall -> pptp-server PPP LCP Configuration Request
  7.437743 pptp-server -> firewall PPP LCP Configuration Reject
  8.430211 pptp-server -> firewall PPP LCP Configuration Request
 11.421580 firewall -> pptp-server PPP LCP Configuration Request
 11.439706 pptp-server -> firewall PPP LCP Configuration Request
 11.442159 pptp-server -> firewall PPP LCP Configuration Reject
[...]


The Request/Reject pattern continues until the client times out. A rare
successful connection looks the same, except I see "Ack" in place of the
first "Reject".

I tried simplifying my iptables firewall to just the following, but it
still didn't work:


# Generated by iptables-save v1.3.0 on Tue Nov  1 21:40:02 2005
*nat
:OUTPUT ACCEPT [24:1754]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [442:117619]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Nov  1 21:40:02 2005
# Generated by iptables-save v1.3.0 on Tue Nov  1 21:40:02 2005
*filter
:FORWARD ACCEPT [672:246713]
:INPUT ACCEPT [1232:125804]
:OUTPUT ACCEPT [1202:159323]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j DROP
COMMIT
# Completed on Tue Nov  1 21:40:02 2005


Any ideas? Is there some configuration step I missed? (I couldn't find
any documentation.)

Thanks,
Jordan Russell

Re: PPTP connection attempts fail with ip_nat_pptp loaded

[Philip Craig]

On 11/02/2005 03:55 PM, Jordan Russell wrote:
> On the Linux 2.6.14 box, here's what tethereal shows during the failed
> connection attempt (eth1 is the Internet-connected interface):

Is it possible to write these packets to a file so I can look at their
contents in more detail?

It would be useful if you could also capture a successful connection.

Your firewall rules look fine.  It should work by simply accepting
established connections.

Re: PPTP connection attempts fail with ip_nat_pptp loaded

[Jordan Russell]

Philip Craig wrote:
> Is it possible to write these packets to a file so I can look at their
> contents in more detail?

Sure. What command should I use to do that?

-- 
Jordan Russell

Re: PPTP connection attempts fail with ip_nat_pptp loaded

[Philip Craig]

On 11/02/2005 05:12 PM, Jordan Russell wrote:
> Sure. What command should I use to do that?

tethereal -w dumpfile -s 1500 -ni eth1 host pptp-server

Re: PPTP connection attempts fail with ip_nat_pptp loaded

[Jordan Russell]

Jordan Russell wrote:
> When ip_nat_pptp is loaded (via "modprobe ip_nat_pptp"), about 9 out of
> every 10 PPTP connection attempts hang and eventually time out.
> 
> I'm connecting from a Windows 2000 machine through a Linux 2.6.14
> NAT/firewall box to a Poptop PPTP server on the Internet.

Follow-up:

Problem solved. It turns out a patch is needed if you have Windows PPTP
clients:

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=397

Thanks to Philip for bringing this to my attention.

-- 
Jordan Russell