Shorewall users - Feb 2004 - pptp vpn

[This email is either empty or too large to be displayed at this time]

My apologies.. forgot to send this as plain text originally.
-----------



Hi all,

Trying to setup a pptp vpn, and am having some trouble.
Hoping someone can shed some light on my troubles ;)


My setup is as follows:

The shorewall box is a firewall for the 10.4.44.0 network.
It uses FreeS/WAN to maintain an ipsec tunnel to another shorewall box on the
10.4.45.0 network.
These are not involved :)

Behind the fw (10.4.44.1) is a win2k server (10.4.44.10), which I''d
like for users to be able to connect to via pptp.

I followed the docs on the PPTP page, by adding this to /etc/shorewall/rules:
    DNAT            net             loc:10.4.44.10          tcp     1723
    DNAT            net             loc:10.4.44.10          47      -

Internally, I can vpn into the win2k box ok (although that''s a bit
useless).

When I try and connect via a box on the public internet, I get the
''Error 721: couldn''t connect'' message, and I see this
in the logs:

Feb  1 23:59:46 st1 Shorewall:net2all:1:DROP: IN=eth1 OUT=
MAC=00:60:67:3a:3d:5d:00:01:5c:22:62:82:08:00  SRC=24.9.148.57
DST=67.173.253.212 LEN=57 TOS=00 PREC=0x00 TTL=121 ID=31458 PROTO=0

I don''t understand why that packet is being blocked, really.
Adding a rule like this:
    DNAT            net             loc:10.4.44.10          0      -
did not help (I didn''t expect it to, but figured it was worth a try).

I also tried putting:
    pptpserver   net   10.4.44.10

in /etc/shorewall/tunnels, also without success.


Does anyone see anything I''m doing wrong?
A step I''m missing, perhaps?
Is the ipsec tunnel interfering with the pptp traffic?

Thanks ;)
Ross





# shorewall version
1.4.7c

# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
    link/void
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:60:08:c0:04:1a brd ff:ff:ff:ff:ff:ff
    inet 10.4.44.1/24 brd 10.4.44.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast
qlen 100
    link/ether 00:60:67:3a:3d:5d brd ff:ff:ff:ff:ff:ff
    inet 67.173.253.212/20 brd 255.255.255.255 scope global eth1
5: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
    link/ipip 0.0.0.0 brd 0.0.0.0
6: gre0@NONE: <NOARP> mtu 1476 qdisc noop
    link/gre 0.0.0.0 brd 0.0.0.0
7: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 00:60:67:3a:3d:5d brd ff:ff:ff:ff:ff:ff
    inet 67.173.253.212/20 brd 255.255.255.255 scope global ipsec0
8: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
9: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
10: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip

# ip route show
24.9.61.9 via 67.173.240.1 dev ipsec0
10.4.44.0/24 dev eth0  proto kernel  scope link  src 10.4.44.1
10.4.45.0/24 via 67.173.240.1 dev ipsec0
67.173.240.0/20 dev eth1  proto kernel  scope link  src 67.173.253.212
67.173.240.0/20 dev ipsec0  proto kernel  scope link  src 67.173.253.212
127.0.0.0/8 via 127.0.0.1 dev lo  scope link
default via 67.173.240.1 dev eth1

On Mon, 2 Feb 2004, Ross Simpson wrote:
> Behind the fw (10.4.44.1) is a win2k server (10.4.44.10), which
I''d like for users to be able to connect to via pptp.
>
> I followed the docs on the PPTP page, by adding this to
/etc/shorewall/rules:
>     DNAT            net             loc:10.4.44.10          tcp     1723
>     DNAT            net             loc:10.4.44.10          47      -
>
> Internally, I can vpn into the win2k box ok (although that''s a bit
useless).
>
> When I try and connect via a box on the public internet, I get the
''Error 721: couldn''t connect'' message, and I see this
in the logs:
>
> Feb 1 23:59:46 st1 Shorewall:net2all:1:DROP: IN=eth1 OUT>
MAC=00:60:67:3a:3d:5d:00:01:5c:22:62:82:08:00 SRC=24.9.148.57
> DST=67.173.253.212 LEN=57 TOS=00 PREC=0x00 TTL=121 ID=31458 PROTO=0
>
> I don''t understand why that packet is being blocked, really.
I don''t understand why it is being sent. Have you loaded the ip_gre
module? (if so unload it and throw it as far as you can).
> Adding a rule like this:
>     DNAT            net             loc:10.4.44.10          0      -
> did not help (I didn''t expect it to, but figured it was worth a
try).
>
> I also tried putting:
>     pptpserver   net   10.4.44.10
>
> in /etc/shorewall/tunnels, also without success.
>
That is nonsense -- That says that you are running a PPTP server on the
firewall system that can only be connected to from 10.4.44.10.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote on 2/2/2004, 6:58 PM:

 > On Mon, 2 Feb 2004, Ross Simpson wrote:
 >
 > > Behind the fw (10.4.44.1) is a win2k server (10.4.44.10), which
I''d
 > like for users to be able to connect to via pptp.
 > >
 > > I followed the docs on the PPTP page, by adding this to
 > /etc/shorewall/rules:
 > >     DNAT            net             loc:10.4.44.10          tcp
 > 1723
 > >     DNAT            net             loc:10.4.44.10          47      -
 > >
 > > Internally, I can vpn into the win2k box ok (although that''s
a bit
 > useless).
 > >
 > > When I try and connect via a box on the public internet, I get the
 > ''Error 721: couldn''t connect'' message, and I
see this in the logs:
 > >
 > > Feb 1 23:59:46 st1 Shorewall:net2all:1:DROP: IN=eth1 OUT > >
MAC=00:60:67:3a:3d:5d:00:01:5c:22:62:82:08:00 SRC=24.9.148.57
 > > DST=67.173.253.212 LEN=57 TOS=00 PREC=0x00 TTL=121 ID=31458 PROTO=0
 > >
 > > I don''t understand why that packet is being blocked, really.
 >
 > I don''t understand why it is being sent. Have you loaded the
ip_gre
 > module? (if so unload it and throw it as far as you can).
 >
 > > Adding a rule like this:
 > >     DNAT            net             loc:10.4.44.10          0      -
 > > did not help (I didn''t expect it to, but figured it was
worth a try).
 > >
 > > I also tried putting:
 > >     pptpserver   net   10.4.44.10
 > >
 > > in /etc/shorewall/tunnels, also without success.
 > >
 >
 > That is nonsense -- That says that you are running a PPTP server on the
 > firewall system that can only be connected to from 10.4.44.10.
 >
 > -Tom


I tried to connect from a different external machine.  I wasn''t able to
connect, but there were no blocked packets shown this time.

Out of frustration (and due to an unrelated patch to the win2k machine), 
I rebooted both win2k and the shorewall box.. and the connection worked!

I''m not sure if I forgot to do a shorewall restart, or the planets just
lined up, but it seems to be working now.

Thanks for the help :)

Ross

On Tuesday 03 February 2004 08:27 am, Ross Simpson wrote:
>
> Out of frustration (and due to an unrelated patch to the win2k machine),
> I rebooted both win2k and the shorewall box.. and the connection worked!
>
> I''m not sure if I forgot to do a shorewall restart, or the planets
just
> lined up, but it seems to be working now.
>
> Thanks for the help :)
>
Such as it was :-) 

Glad to hear that you got it working...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net