[plug] GRE Tunnels, Kernel 2.4 and PPTP.
James Bromberger
james at rcpt.to
Sun May 13 23:49:31 WST 2001
Evening all,
I am trying to set up a VPN session between a Win box using the MS VPN virtual
adapter, and a PPTP daemon running on a host behind a firewall. I am
configuring the NAT rules with iptables under 2.4, and can't seem to get the
GRE part of the connection to work (or thats what I think is failing).
First the rules are thus:
* All internal connections are NATed out with (std NAT rule):
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
* Next, incoming 1723 PPTP auth is redirected to the internal machine:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to 10.0.0.2
* Finally, incoming GRE for PPTP is redirected with (I have tried
with and without this rule, see below):
iptables -t nat -A PREROUTING -i eth0 -p 47 -j DNAT --to 10.0.0.2
Thus I see rules with:
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:1723 to:10.0.0.2
DNAT gre -- anywhere anywhere to:10.0.0.2
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
I can connect to the PPTP server from the outside world, and authenticate
against it, but then the VPN fails. My firewall box shows the following
(amongst other things) in /proc/net/ip_conntrack (IP addresses changed to
'xxx' and 'yyy' to protect the guilty):
unknown 47 568 src=10.0.0.2 dst=61.xxx.xxx.xxx [UNREPLIED] src=61.xxx.xxx.xxx dst=203.yyy.yyy.yyy use=1
Now, my syslog on the PPTP server (behind the firewall) shows:
pptpd[783]: CTRL (PPPD Launcher): local address = 10.0.0.2
pptpd[783]: CTRL (PPPD Launcher): remote address = 10.0.0.241
pptpd[782]: CTRL: Sent packet to client
pppd[783]: pppd 2.4.1 started by root, uid 0
pppd[783]: Using interface ppp0
pppd[783]: Connect: ppp0 <--> /dev/pts/0
pppd[783]: LCP: timeout sending Config-Requests
pppd[783]: Connection terminated.
pppd[783]: Exit.
pptpd[782]: GRE: read(fd=5,buffer=804d9c0,len=8196) from PTY failed: status = -1 error = Input/output error
pptpd[782]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6)
pptpd[782]: CTRL: Client 61.yyy.yyy.yyy control connection finished
pptpd[782]: CTRL: Exiting now
pptpd[357]: MGR: Reaped child 782
Does anyone know whats going wrong here? I am suspecting that GRE is having
trouble going back and forth through the NAT; does anyone have this kind of
setup running under 2.4 with iptables? Most of the documentation that is
floating around seems to refer to 2.2 or 2.0 and ipchains...
I had a hunch that perhaps the GRE is started by the PPTP server, and thus
all GRE will be tracked and handled by the default MASQ, and incoming GRE will
not need a DNAT mangle (ie, redirection to the internal server) since the
MASQ will handle this for us; I tired repeating the exercise without the
third rule above, but it still fails:
pppd[925]: Using interface ppp0
pppd[925]: Connect: ppp0 <--> /dev/pts/3
pptpd[924]: CTRL: Received PPTP Control Message (type: 12)
pptpd[924]: CTRL: Made a CALL DISCONNECT RPLY packet
The pptpd disconnect is 30 seconds after pppd tried to set up the tunnel; ie,
a timeout occurs.
Anyone have any ideas. The MASQ VPN FAQ/HOWTO leaves me stuck with this
problem.
Many thanks,
James
--
James Bromberger <james_AT_rcpt.to> www.rcpt.to/~james
* * C u in Bordeaux - 1st Debian Conference, July 2001 * *
Remainder moved to http://www.rcpt.to/~james/james/sig.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20010513/1428672a/attachment.pgp>
More information about the plug
mailing list