I''ve got what I think is a fairly simple home network configuration with one Linux box functioning as the firewall, VPN server, DHCP server and file/print server. I am having trouble configuring both a VPN server (PopTop) and the firewall rules for a W2K PPTP VPN client. The VPN server runs on the firewall machine and the VPN client runs on a W2K machine behind the firewall. The VPN server works fine with one configuration but that config prevents the VPN client from connecting through the firewall to a remote host. Vice versa, with another config, the VPN client can connect but the VPN server doesn''t work. Here''s a picture: When I''m in the office I want to connect to my home network: W2K Laptop-->Office Network-->Internet-->My Firewall/Router/VPN Server-->Home Network When I''m at home, I want to connect to the office network: Office Network<--Office VPN<--Internet<--My Firewall/Router/VPN Server<--Home Network<--W2K Laptop I''ve configured PPTP as per the ''basic setup'' described in Tom''s PPTP document. Without the PPTP shorewall configuration, I have no problem connecting my W2K VPN client to my office''s network. However, when I add the PPTP config info into the tunnels and interfaces files (as per table 1, table 2 in the PPTP docs), I can no longer get authenticated by my office''s VPN server. The VPN client program running on W2K gives me the 619 error code (which, according to a few posts I found, is because the protocol 47, GRE, stuff is not getting through). If my tunnels and interfaces files omit any mention of ppp+ and pptpserver, my W2K client can connect without a problem. An interesting and perhaps (?) important point is that if I add the pptp configuration lines to the interfaces and tunnels files and then restart shorewall via ''shorewall restart'' or ''shorewall stop; shorewall start'', the W2K VPN client can still connect to my office''s network. However, if I reboot the firewall, I get the 619 error. As for the other direction, with the PPTP shorewall configuration added to those files, I can connect from my office into my home network. Obviously, I''d like to be able to support both at the same time.... I''ve running Mandrake 10.0, with kernel 2.6.8.1, Shorewall 2.0.8. I''ve included the output from the ip commands as attachments as well as output from the shorewall status command: one from when the VPN client can connect, the other from when it cannot. This configuration seems (to me) to be pretty straightforward and I''m sure that lots of examples of such a configuration exist. However, I haven''t been able to find any postings that describe this particular problem. Therefore, I must be missing something pretty basic. And, yes, I''m new to shorewall, so please bear that in mind :-). I''m hoping that someone with more shorewall/iptables/networking knowledge can help me. I''ll be happy to send along any other files - just ask :-) Thanks. -- David Macklem dmacklem@netcom.ca
On Thursday 23 September 2004 11:14, David Macklem wrote:> I''ve got what I think is a fairly simple home network configuration with > one Linux box functioning as the firewall, VPN server, DHCP server and > file/print server. I am having trouble configuring both a VPN server > (PopTop) and the firewall rules for a W2K PPTP VPN client. The VPN server > runs on the firewall machine and the VPN client runs on a W2K machine > behind the firewall. The VPN server works fine with one configuration but > that config prevents the VPN client from connecting through the firewall to > a remote host. Vice versa, with another config, the VPN client can connect > but the VPN server doesn''t work. Here''s a picture: > > When I''m in the office I want to connect to my home network: > W2K Laptop-->Office Network-->Internet-->My Firewall/Router/VPN > Server-->Home Network > > When I''m at home, I want to connect to the office network: > Office Network<--Office VPN<--Internet<--My Firewall/Router/VPN > Server<--Home Network<--W2K Laptop > > I''ve configured PPTP as per the ''basic setup'' described in Tom''s PPTP > document. > > Without the PPTP shorewall configuration, I have no problem connecting my > W2K VPN client to my office''s network. However, when I add the PPTP config > info into the tunnels and interfaces files (as per table 1, table 2 in the > PPTP docs), I can no longer get authenticated by my office''s VPN server. > The VPN client program running on W2K gives me the 619 error code (which, > according to a few posts I found, is because the protocol 47, GRE, stuff is > not getting through). > > If my tunnels and interfaces files omit any mention of ppp+ and pptpserver, > my W2K client can connect without a problem. > > An interesting and perhaps (?) important point is that if I add the pptp > configuration lines to the interfaces and tunnels files and then restart > shorewall via ''shorewall restart'' or ''shorewall stop; shorewall start'', the > W2K VPN client can still connect to my office''s network. However, if I > reboot the firewall, I get the 619 error. > > As for the other direction, with the PPTP shorewall configuration added to > those files, I can connect from my office into my home network. Obviously, > I''d like to be able to support both at the same time.... > > I''ve running Mandrake 10.0, with kernel 2.6.8.1, Shorewall 2.0.8. I''ve > included the output from the ip commands as attachments as well as output > from the shorewall status command: one from when the VPN client can > connect, the other from when it cannot. > > This configuration seems (to me) to be pretty straightforward and I''m sure > that lots of examples of such a configuration exist. However, I haven''t > been able to find any postings that describe this particular problem. > Therefore, I must be missing something pretty basic. And, yes, I''m new to > shorewall, so please bear that in mind :-). I''m hoping that someone with > more shorewall/iptables/networking knowledge can help me. I''ll be happy > to send along any other files - just ask :-) >I''m surprised that we haven''t seen this before. Here is what I believe is happening: a) The W2k client establishes it''s TCP session with the PPTP server at work. b) That server starts the LCP negotiation which results in it sending a GRE frame. c) If you don''t have the ''pptpserver'' tunnel defined to Shorewall, your firewall DROPs the GRE frame. Your W2k client eventually gets around to sending a GRE frame of its own which is accepted by the firewall; that causes a connection tracking entry to be created. d) Now subsequent GRE frames from the PPTP server match the connection tracking entry and are redirected to the W2k box. If you have the pptp tunnel defined, at step (c) your firewall *ACCEPTs* the GRE frames. This causes a connection tracking entry to be created and now all GRE frames from the server are swallowed by the firewall (who is probably returning a "Protocol not available" ICMP or some such). When your W2k client finally gets around to sending GRE, a *second* connection tracking entry is created but it''s too late (you can actually see both entries in the "denied" status you sent). What to do? a) I believe that Mandrake 10 includes the PPTP connection tracking/NAT extensions (see http://shorewall.net/PPTP.htm#ClientsBehind). If so, you might try loading the relevant modules and see if that helps. b) If that fails then define your tunnel as follows: pptpserver net !<PPTP SERVER IP> where <PPTP SERVER IP> is the IP address of the PPTP server at your work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
David Macklem
2004-Sep-24 15:14 UTC
RE: help with a W2K VPN client 619 error and PPTP server
Tom, Thanks for your help and quick feedback. That sounds like a reasonable explanation. Unfortunately, though, I changed the tunnels file as per your suggestion but ran into the same symptoms. I''m in the process of trying to figure out how to enable the connection tracking/NAT extensions in my 2.6 kernel. (Although I''m using the latest Mandrake 10 kernel, 2.6.8.1-q10, I think I have to do some Kconfig modifications to make these options available in the config file. More on this later, if I make any progress.) FWIW, I''ve included the output from ''shorewall status'' after trying to connect run with the above tunnels mods. Again, thanks. -- David Macklem dmacklem@netcom.ca -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Thursday, September 23, 2004 5:09 PM To: shorewall-users@lists.shorewall.net; dmacklem@netcom.ca Subject: Re: [Shorewall-users] help with a W2K VPN client 619 error and PPTP server On Thursday 23 September 2004 11:14, David Macklem wrote:> I''ve got what I think is a fairly simple home network configuration with > one Linux box functioning as the firewall, VPN server, DHCP server and > file/print server. I am having trouble configuring both a VPN server > (PopTop) and the firewall rules for a W2K PPTP VPN client. The VPN server > runs on the firewall machine and the VPN client runs on a W2K machine > behind the firewall. The VPN server works fine with one configuration but > that config prevents the VPN client from connecting through the firewall to > a remote host. Vice versa, with another config, the VPN client can connect > but the VPN server doesn''t work. Here''s a picture: > > When I''m in the office I want to connect to my home network: > W2K Laptop-->Office Network-->Internet-->My Firewall/Router/VPN > Server-->Home Network > > When I''m at home, I want to connect to the office network: > Office Network<--Office VPN<--Internet<--My Firewall/Router/VPN > Server<--Home Network<--W2K Laptop > > I''ve configured PPTP as per the ''basic setup'' described in Tom''s PPTP > document. > > Without the PPTP shorewall configuration, I have no problem connecting my > W2K VPN client to my office''s network. However, when I add the PPTP config > info into the tunnels and interfaces files (as per table 1, table 2 in the > PPTP docs), I can no longer get authenticated by my office''s VPN server. > The VPN client program running on W2K gives me the 619 error code (which, > according to a few posts I found, is because the protocol 47, GRE, stuff is > not getting through). > > If my tunnels and interfaces files omit any mention of ppp+ and pptpserver, > my W2K client can connect without a problem. > > An interesting and perhaps (?) important point is that if I add the pptp > configuration lines to the interfaces and tunnels files and then restart > shorewall via ''shorewall restart'' or ''shorewall stop; shorewall start'', the > W2K VPN client can still connect to my office''s network. However, if I > reboot the firewall, I get the 619 error. > > As for the other direction, with the PPTP shorewall configuration added to > those files, I can connect from my office into my home network. Obviously, > I''d like to be able to support both at the same time.... > > I''ve running Mandrake 10.0, with kernel 2.6.8.1, Shorewall 2.0.8. I''ve > included the output from the ip commands as attachments as well as output > from the shorewall status command: one from when the VPN client can > connect, the other from when it cannot. > > This configuration seems (to me) to be pretty straightforward and I''m sure > that lots of examples of such a configuration exist. However, I haven''t > been able to find any postings that describe this particular problem. > Therefore, I must be missing something pretty basic. And, yes, I''m new to > shorewall, so please bear that in mind :-). I''m hoping that someone with > more shorewall/iptables/networking knowledge can help me. I''ll be happy > to send along any other files - just ask :-) >I''m surprised that we haven''t seen this before. Here is what I believe is happening: a) The W2k client establishes it''s TCP session with the PPTP server at work. b) That server starts the LCP negotiation which results in it sending a GRE frame. c) If you don''t have the ''pptpserver'' tunnel defined to Shorewall, your firewall DROPs the GRE frame. Your W2k client eventually gets around to sending a GRE frame of its own which is accepted by the firewall; that causes a connection tracking entry to be created. d) Now subsequent GRE frames from the PPTP server match the connection tracking entry and are redirected to the W2k box. If you have the pptp tunnel defined, at step (c) your firewall *ACCEPTs* the GRE frames. This causes a connection tracking entry to be created and now all GRE frames from the server are swallowed by the firewall (who is probably returning a "Protocol not available" ICMP or some such). When your W2k client finally gets around to sending GRE, a *second* connection tracking entry is created but it''s too late (you can actually see both entries in the "denied" status you sent). What to do? a) I believe that Mandrake 10 includes the PPTP connection tracking/NAT extensions (see http://shorewall.net/PPTP.htm#ClientsBehind). If so, you might try loading the relevant modules and see if that helps. b) If that fails then define your tunnel as follows: pptpserver net !<PPTP SERVER IP> where <PPTP SERVER IP> is the IP address of the PPTP server at your work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 24 September 2004 08:14, David Macklem wrote:> Tom, > > Thanks for your help and quick feedback. > > That sounds like a reasonable explanation. Unfortunately, though, I > changed the tunnels file as per your suggestion but ran into the same > symptoms. > > I'm in the process of trying to figure out how to enable the connection > tracking/NAT extensions in my 2.6 kernel. (Although I'm using the latest > Mandrake 10 kernel, 2.6.8.1-q10, I think I have to do some Kconfig > modifications to make these options available in the config file. More on > this later, if I make any progress.) > > FWIW, I've included the output from 'shorewall status' after trying to > connect run with the above tunnels mods. >Doesn't look to me like you have defined the tunnel any differently: Chain net2fw (1 references) pkts bytes target prot opt in out source destination 32 6755 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 10 650 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,20,21 4 192 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 The 'source' column for the second and third rule should have !<server ip address> in them. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 24 September 2004 08:48, Tom Eastep wrote:> On Friday 24 September 2004 08:14, David Macklem wrote: > > Tom, > > > > Thanks for your help and quick feedback. > > > > That sounds like a reasonable explanation. Unfortunately, though, I > > changed the tunnels file as per your suggestion but ran into the same > > symptoms. > > > > I'm in the process of trying to figure out how to enable the connection > > tracking/NAT extensions in my 2.6 kernel. (Although I'm using the latest > > Mandrake 10 kernel, 2.6.8.1-q10, I think I have to do some Kconfig > > modifications to make these options available in the config file. More > > on this later, if I make any progress.) > > > > FWIW, I've included the output from 'shorewall status' after trying to > > connect run with the above tunnels mods. > > Doesn't look to me like you have defined the tunnel any differently: > > Chain net2fw (1 references) > pkts bytes target prot opt in out source > destination > 32 6755 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 10 650 ACCEPT 47 -- * * 0.0.0.0/0 > 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:1723 > 0 0 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:53 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:53 > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 8 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 multiport dports 80,443,20,21 > 4 192 net2all all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > The 'source' column for the second and third rule should have !<server ip > address> in them.1000 apologies! The 'firewall' script ignores the GATEWAY column on a 'pptpserver' tunnel :-( So.......... Remove the pptpserver tunnel and add these rules: ACCEPT net:!<PPTP SERVER IP> fw 47 ACCEPT net:!<PPTP SERVER IP> fw tcp 1723 ACCEPT fw net 47 ACCEPT fw net tcp 1723 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 24 September 2004 08:54, Tom Eastep wrote:> > 1000 apologies! The ''firewall'' script ignores the GATEWAY column on a > ''pptpserver'' tunnel :-( > > So.......... > > Remove the pptpserver tunnel and add these rules: > > ACCEPT net:!<PPTP SERVER IP> fw 47 > ACCEPT net:!<PPTP SERVER IP> fw tcp 1723 > ACCEPT fw net 47 > ACCEPT fw net tcp 1723 >Both the STABLE2/ and the Shorewall2/ CVS projects have been updated with a correction for this problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 24 September 2004 10:13, Tom Eastep wrote:> On Friday 24 September 2004 08:54, Tom Eastep wrote: > > 1000 apologies! The ''firewall'' script ignores the GATEWAY column on a > > ''pptpserver'' tunnel :-( > > > > So.......... > > > > Remove the pptpserver tunnel and add these rules: > > > > ACCEPT net:!<PPTP SERVER IP> fw 47 > > ACCEPT net:!<PPTP SERVER IP> fw tcp 1723 > > ACCEPT fw net 47 > > ACCEPT fw net tcp 1723 > > Both the STABLE2/ and the Shorewall2/ CVS projects have been updated with a > correction for this problem. >Now STABLE/ (Shorewall 1.4) is also updated -- regrettably, the first updates to STABLE2/ and Shorewall2/ had a typo; those are now fixed as well. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
David Macklem
2004-Sep-24 20:56 UTC
RE: help with a W2K VPN client 619 error and PPTP server
Tom, Thanks again for your help. When I add these lines to the rules file: ACCEPT net:!<PPTP SERVER IP> fw 47 ACCEPT net:!<PPTP SERVER IP> fw tcp 1723 shorewall doesn''t start because of: Error: Exclude list only allowed with DNAT or REDIRECT Since you fixed the problem with the gateway column on a pptpserver tunnel in CVS, do you think the best course of action would be for me to build shorewall from the STABLE2 CVS tree? -- David Macklem dmacklem@netcom.ca -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, September 24, 2004 11:54 AM To: shorewall-users@lists.shorewall.net Cc: dmacklem@netcom.ca Subject: Re: [Shorewall-users] help with a W2K VPN client 619 error and PPTP server On Friday 24 September 2004 08:48, Tom Eastep wrote:> On Friday 24 September 2004 08:14, David Macklem wrote: > > Tom, > > > > Thanks for your help and quick feedback. > > > > That sounds like a reasonable explanation. Unfortunately, though, I > > changed the tunnels file as per your suggestion but ran into the same > > symptoms. > > > > I''m in the process of trying to figure out how to enable the connection > > tracking/NAT extensions in my 2.6 kernel. (Although I''m using the latest > > Mandrake 10 kernel, 2.6.8.1-q10, I think I have to do some Kconfig > > modifications to make these options available in the config file. More > > on this later, if I make any progress.) > > > > FWIW, I''ve included the output from ''shorewall status'' after trying to > > connect run with the above tunnels mods. > > Doesn''t look to me like you have defined the tunnel any differently: > > Chain net2fw (1 references) > pkts bytes target prot opt in out source > destination > 32 6755 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 10 650 ACCEPT 47 -- * * 0.0.0.0/0 > 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:1723 > 0 0 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:53 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:53 > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 8 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 multiport dports 80,443,20,21 > 4 192 net2all all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > The ''source'' column for the second and third rule should have !<server ip > address> in them.1000 apologies! The ''firewall'' script ignores the GATEWAY column on a ''pptpserver'' tunnel :-( So.......... Remove the pptpserver tunnel and add these rules: ACCEPT net:!<PPTP SERVER IP> fw 47 ACCEPT net:!<PPTP SERVER IP> fw tcp 1723 ACCEPT fw net 47 ACCEPT fw net tcp 1723 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Macklem wrote: | Tom, | | Thanks again for your help. | | When I add these lines to the rules file: | ACCEPT net:!<PPTP SERVER IP> fw 47 | ACCEPT net:!<PPTP SERVER IP> fw tcp 1723 | | shorewall doesn''t start because of: | | Error: Exclude list only allowed with DNAT or REDIRECT | I believe you have omitted the ":" between the zone name and the "!". - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBVIr/O/MAbZfjDLIRAousAKCMTo5DUl5VQAJQvQV1yR3iGUHfdQCeMxQV MkO3gx3AY/HfCEWLumJJ2L8=1h0/ -----END PGP SIGNATURE-----
David Macklem
2004-Sep-25 17:56 UTC
RE: help with a W2K VPN client 619 error and PPTP server
Tom, Ooops. My turn for 1000 apologies. :-) You were right, that fixed my problem, at least from the home network to office VPN perspective. I''ll wait until next week to verify the VPN connection in the other direction but I''m sure it''ll be fine. Again, thanks for all of your help. -- David Macklem dmacklem@netcom.ca -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, September 24, 2004 5:01 PM To: dmacklem@netcom.ca; Mailing List for Shorewall Users Subject: Re: [Shorewall-users] help with a W2K VPN client 619 error and PPTP server -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Macklem wrote: | Tom, | | Thanks again for your help. | | When I add these lines to the rules file: | ACCEPT net:!<PPTP SERVER IP> fw 47 | ACCEPT net:!<PPTP SERVER IP> fw tcp 1723 | | shorewall doesn''t start because of: | | Error: Exclude list only allowed with DNAT or REDIRECT | I believe you have omitted the ":" between the zone name and the "!". - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBVIr/O/MAbZfjDLIRAousAKCMTo5DUl5VQAJQvQV1yR3iGUHfdQCeMxQV MkO3gx3AY/HfCEWLumJJ2L8=1h0/ -----END PGP SIGNATURE-----