Shorewall users - Apr 2004 - pptp connect on firewall from load balanced addresses

I currently have pptp running on my shorewall firewall box in my home office. 
From my main office I am not able to authenticate to my shorewall firewall pptp.
What we have in the main office is a load balanced Internet connection.

Let me explain:
>From my desktop in my main office, traffic passes through several switches,
routers and the firewall.  On the outside of the firewall is a device called a
Fatpipe.  The Fatpipe takes two T1 lines and load balances all traffic from the
firewall between the two T1 lines.  Each T1 is from a different ISP, hence each
line has a different IP address.  Traffic can be routed out either line and the
lines can switch midstream depending on load.  So, when the outbound connection
is initiated, you may be on address 64.x.x.10 and all of a sudden, you are now
on address 208.x.x.4.  This change can happen multiple times during a session.
Now the question.  pptp is not letting me authenticate on connect and I think
that the address switching is the issue.  What do I need to do to the firewall
to allow the address switching and still remain connected and get authenticated?

Note: If I am outside the firewall on a dialup, the pptp connection works great.

Another possible issue is that in the main office, I am on a 10.x.x.x subnet and
everything outbound from the Fatpipe is natted to the pat addresses of the T1
lines.  Could this be causing an issue with the pptp connect on the home office
firewall?

Thanks

Craig

On 04/16/04 07:52, "csharp2a@comcast.net" <csharp2a@comcast.net>
wrote:
> Now the question.  pptp is not letting me authenticate on connect and I
think
> that the address switching is the issue.  What do I need to do to the
firewall
> to allow the address switching and still remain connected and get
> authenticated?
I''m not sure there''s an answer here. The whole principle of a
VPN is secure
communication between two IP''s. If one of those changes in midstream, I
think you''re out of luck. I can''t think of a way around that,
but maybe
somebody else can.

Your real problem though may be the intervening routers/firewall at your
office. I have several clients who use PPTP from their laptops to reach back
to the home office when traveling, and we''ve found, for example, that
most
hotel and airport Internet setups (wireless or otherwise) do not properly
NAT or even allow GRE. Even when they plug in as a guest at somebody
else''s
office, outbound PPTP or IPSec is rarely supported.

You might want to check into OpenVPN, as it can use a more firewall-friendly
TCP transport.

> Note: If I am outside the firewall on a dialup, the pptp connection works
> great.
Then it doesn''t sound like a Shorewall problem.

csharp2a@comcast.net wrote:
> Another possible issue is that in the main office, I am on a 10.x.x.x
subnet
> and everything outbound from the Fatpipe is natted to the pat addresses
 > of the T1 lines.  Could this be causing an issue with the pptp connect
 > on the home office firewall?

That''s usually not an inhibitor to establishing a single connection to 
your PPTP server.

A bigger issue is whether your employer''s firewall allows outbound PPTP
at all. I know that my employer''s firewall does not.

Contrary to another poster''s experience, I''ve had good luck
establishing
PPTP connections back to my home network while I''m on the road in
Hotels.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On 04/16/04 08:51, "Tom Eastep" <teastep@shorewall.net> wrote:
> Contrary to another poster''s experience, I''ve had good
luck establishing
> PPTP connections back to my home network while I''m on the road in
Hotels.
Can you suggest a hotel chain that''s had VPN-friendly Internet service?
We''ve struck out in Hiltons, Marriotts, and Sheratons. I''m
begging here...

David Tilley wrote:
> On 04/16/04 08:51, "Tom Eastep" <teastep@shorewall.net>
wrote:
> 
> 
>>Contrary to another poster''s experience, I''ve had good
luck establishing
>>PPTP connections back to my home network while I''m on the road
in Hotels.
> 
> 
> Can you suggest a hotel chain that''s had VPN-friendly Internet
service?
> We''ve struck out in Hiltons, Marriotts, and Sheratons.
I''m begging here...
I''ve had no problems at either Hiltons or Marriots.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom,

We allow everything outbound with the exception of certain ports.  pptp is
allowed.  I can get connected but not authenticated.

Could it have to do with my being on a 10.x.x.x subnet and being seen as a
different address (64.x.x.x)?

I am including the pptpd log for a connection attempt.  IP''s are
blocked out.

Apr 16 11:39:30 pcp04889297pcs pptpd[30573]: MGR: Manager process started
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: MGR: Launching /usr/sbin/pptpctrl
to handle client
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: local address = 192.168.0.6
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: remote address =
192.168.1.100
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: pppd speed = 115200
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: pppd options file =
/etc/ppp/options.pptp
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: Client 208.x.x.x control
connection started
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: Received PPTP Control Message
(type: 1)
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: Made a START CTRL CONN RPLY
packet
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: I wrote 156 bytes to the
client.
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: Sent packet to client
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: Received PPTP Control Message
(type: 7)
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: 0 min_bps, 1525 max_bps, 32
window size
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: Made a OUT CALL RPLY packet
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: Starting call (launching
pppd, opening GRE)
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: pty_fd = 5
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: tty_fd = 6
Apr 16 11:39:46 pcp04889297pcs pptpd[30576]: CTRL (PPPD Launcher): Connection
speed = 115200
Apr 16 11:39:46 pcp04889297pcs pptpd[30576]: CTRL (PPPD Launcher): local address
= 192.168.0.6
Apr 16 11:39:46 pcp04889297pcs pptpd[30576]: CTRL (PPPD Launcher): remote
address = 192.168.1.100
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: I wrote 32 bytes to the
client.
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: Sent packet to client
Apr 16 11:39:46 pcp04889297pcs pppd[30576]: pppd 2.4.1 started by root, uid 0
Apr 16 11:39:46 pcp04889297pcs pppd[30576]: using channel 48
Apr 16 11:39:46 pcp04889297pcs pppd[30576]: Connect:  <--> /dev/pts/0
Apr 16 11:39:46 pcp04889297pcs pppd[30576]: sent [LCP ConfReq id=0x1 <mru
1490> <asyncmap 0x0> <auth chap 81> <magic 0xbbcf721>
<pcomp> <accomp> <mrru 1490> <endpoint
[MAC:00:50:da:93:1d:12]>]
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: Received PPTP Control Message
(type: 15)
Apr 16 11:39:46 pcp04889297pcs pptpd[30575]: CTRL: Got a SET LINK INFO packet
with standard ACCMs
Apr 16 11:39:48 pcp04889297pcs pppd[30576]: sent [LCP ConfReq id=0x1 <mru
1490> <asyncmap 0x0> <auth chap 81> <magic 0xbbcf721>
<pcomp> <accomp> <mrru 1490> <endpoint
[MAC:00:50:da:93:1d:12]>]
Apr 16 11:40:20 pcp04889297pcs last message repeated 16 times
Apr 16 11:40:22 pcp04889297pcs pppd[30576]: sent [LCP ConfReq id=0x1 <mru
1490> <asyncmap 0x0> <auth chap 81> <magic 0xbbcf721>
<pcomp> <accomp> <mrru 1490> <endpoint
[MAC:00:50:da:93:1d:12]>]
Apr 16 11:40:23 pcp04889297pcs pptpd[30575]: CTRL: Received PPTP Control Message
(type: 12)
Apr 16 11:40:23 pcp04889297pcs pptpd[30575]: CTRL: Made a CALL DISCONNECT RPLY
packet
Apr 16 11:40:23 pcp04889297pcs pptpd[30575]: CTRL: Received CALL CLR request
(closing call)
Apr 16 11:40:23 pcp04889297pcs pptpd[30575]: CTRL: I wrote 148 bytes to the
client.
Apr 16 11:40:23 pcp04889297pcs pptpd[30575]: CTRL: Sent packet to client
Apr 16 11:40:23 pcp04889297pcs pppd[30576]: Modem hangup
Apr 16 11:40:23 pcp04889297pcs pppd[30576]: Connection terminated.
Apr 16 11:40:23 pcp04889297pcs pppd[30576]: Exit.
Apr 16 11:40:23 pcp04889297pcs pptpd[30575]: GRE: read error: Bad file
descriptor
Apr 16 11:40:23 pcp04889297pcs pptpd[30575]: CTRL: PTY read or GRE write failed
(pty,gre)=(-1,-1)
Apr 16 11:40:23 pcp04889297pcs pptpd[30575]: CTRL: Client 208.x.x.x control
connection finished
Apr 16 11:40:23 pcp04889297pcs pptpd[30575]: CTRL: Exiting now
Apr 16 11:40:23 pcp04889297pcs pptpd[30573]: MGR: Reaped child 30575

Craig
> csharp2a@comcast.net wrote:
> 
> > Another possible issue is that in the main office, I am on a 10.x.x.x
subnet
> > and everything outbound from the Fatpipe is natted to the pat
addresses
>  > of the T1 lines.  Could this be causing an issue with the pptp
connect
>  > on the home office firewall?
> 
> That''s usually not an inhibitor to establishing a single
connection to
> your PPTP server.
> 
> A bigger issue is whether your employer''s firewall allows outbound
PPTP
> at all. I know that my employer''s firewall does not.
> 
> Contrary to another poster''s experience, I''ve had good
luck establishing
> PPTP connections back to my home network while I''m on the road in
Hotels.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

csharp2a@comcast.net wrote:
> Tom,
> 
> We allow everything outbound with the exception of certain ports.  pptp is
allowed.  I can get connected but not authenticated.
> 
> Could it have to do with my being on a 10.x.x.x subnet and being seen as a
different address (64.x.x.x)?
> 
> I am including the pptpd log for a connection attempt.  IP''s are
blocked out.
> 
Notice that you are sending GRE frames but not receiving them -- that 
says to me that someone along the way is blocking those frames.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Ok, I will check.
> csharp2a@comcast.net wrote:
> > Tom,
> > 
> > We allow everything outbound with the exception of certain ports. 
pptp is
> allowed.  I can get connected but not authenticated.
> > 
> > Could it have to do with my being on a 10.x.x.x subnet and being seen
as a
> different address (64.x.x.x)?
> > 
> > I am including the pptpd log for a connection attempt.  IP''s
are blocked out.
> > 
> 
> Notice that you are sending GRE frames but not receiving them -- that 
> says to me that someone along the way is blocking those frames.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm