Re: [Shorewall-users] Cannot connect to remote PPTP vpn

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Thanks Tom, that did the trick!
On Feb 6, 2015 11:10 AM, "Tom Eastep" <te...@sh...> wrote:

> On 2/5/2015 6:18 PM, Andrew DeMaria wrote:
> > On 02/02/2015 12:43 PM, Tom Eastep wrote:
> >> On 1/31/2015 3:36 PM, Andrew DeMaria wrote:
> >>>> Shorewall group,
> >>>>
> >>>> I am having a hard time connecting to a remote PPTP from a LAN
> computer
> >>>> and was hoping I could get some hints on what could be going wrong.
> >>>>
> >>>> Here is what I know:
> >>>>
> >>>> The remote VPN server is an Asus router. At time of writing it was
> >>>> 71.208.224.179.  It is setup for PPTP with 128 bit MPPE encryption.
> >>>>
> >>>> I can connect on my android phone if I am on verizon's network, but I
> >>>> cannot connect if I am on the LAN network.  Likewise I cannot connect
> on
> >>>> my laptop on the LAN network.
> >>>>
> >>>> I have run a tcpdump on the router while trying to connect to the VPN
> >>>> from the LAN.  At a high level it seems that traffic is making it
> >>>> through for the initial connection setup and there are also some
> further
> >>>> PPP packets but it seems that the conversation just goes silent.
> >>>>
> >>>> I have tried setting up shorewall in two different manners with the
> same
> >>>> results:
> >>>> -  Using AUTOHELPERS=Yes
> >>>> -  Specifying
> HELPERS=amanda,ftp,irc,netbios-ns,pptp,sane,sip,snmp,tftp
> >>>> and using the following rule in conntrack:
> >>>>
> >>>> ?if __PPTP_HELPER
> >>>> CT:helper:pptp:PO -   -   tcp 1723
> >>>> ?endif
> >>>>
> >>>> Any ideas?
> >>>>
> >> Not really.
> >>
> >> The dump shows that the required modules are loaded:
> >>
> >> nf_conntrack_pptp      16715  3 nf_nat_pptp
> >> nf_conntrack_proto_gre    13024  1 nf_conntrack_pptp
> >> nf_nat                 22338  10
> >>
> nf_nat_ftp,nf_nat_irc,nf_nat_sip,ipt_MASQUERADE,nf_nat_proto_gre,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat,iptable_nat
> >> nf_nat_pptp            12562  0
> >> nf_nat_proto_gre       12517  1 nf_nat_pptp
> >>    PPTP Helper: Available
> >>
> >> and that the helper is being applied to TCP port 1723 in the raw
> >> PREROUTING chain:
> >>
> >>    11   920 CT         tcp  --  *      *       0.0.0.0/0
> >> 0.0.0.0/0            tcp dpt:1723 CT helper pptp
> >>
> >> But:
> >>
> >> a)  LOGFILE is not properly configured in shorewall.conf, since there
> >> are packets being logged but they are not displayed in the dump.
> >> Remember that LOGFILE doesn't determine where messages are logged, but
> >> rather tells Shorewall where to look for them.
> >>
> >> b)  There are no active PPTP connections at the time the dump was taken.
> >>
> >> -Tom
> >
> > Right, I think at one point I tried pointing LOGFILE to the systemd
> > journal files but those are binary iirc.
> >
> > Using the systemd jounal while trying to connect, I got the following
> > interesting snippet:
> >
> >> Feb 05 19:42:45 PointBlank kernel: Shorewall:+loc-net:DROP:IN=brlan
> OUT=enwan PHYSIN=enlan MAC=0c:8b:fd:e5:45:ca:94:de:80:6c:1e:44:08:00
> SRC=172.16.17.60 DST=65.128.107.136 LEN=56 TOS=0x00 PREC=0x00 TTL=63
> ID=17230 DF PROTO=47
> >> Feb 05 19:42:45 PointBlank kernel: Shorewall:net-fw:DROP:IN=enwan OUT=
> MAC=74:d4:35:80:06:c7:00:01:5c:22:7d:81:08:00 SRC=65.128.107.136
> DST=76.187.111.93 LEN=65 TOS=0x00 PREC=0x00 TTL=51 ID=41637 PROTO=47
> MARK=0x1
> >
> > So it looks like it is dropping "Generic Routing Encapsulation (PPP)"
> > packets coming from the remote VPN (65.128.107.136) to the router
> > (76.187.111.93).
> >
> > Is GRE covered by the PPTP conntrack or is there another I should have
> > enabled?
> >
>
> Yes -- but your loc->net RELATED configuration is blocking the outbound
> GRE. So in both directions, you need to allow RELATED GRE packets.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Shorewall-users mailing list
> Sho...@li...
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>