Shorewall users - Dec 2004 - PPTP connections through Shorewall - WinXP Workstation to Win2003 Server

The problem scenario I describe was reported previously in the Shorewall
lists but its resolution does not seem to have made it into the lists.


Scenario:

Windows XP client seeking to establish a VPN connection to a Windows 2003
Server located behind a Shorewall firewall (running on Mandrake kernel
2.4.22-37mdk).

The connection cannot be made, the client reports error code 721.


Discussion:

Using tcpdump, one can see the client and server talking to each other.
Towards the end of this dialogue the client asks the server to call
it back on such-and-such a port, the server tries to do this but the
firewall rejects the traffic with ICMP destination unreachable. The
client eventually times out with error code 721.

The problem, in my case, was fixed by NOT loading the modules:

loadmodule ip_conntrack_proto_gre
loadmodule ip_conntrack_pptp
loadmodule ip_nat_pptp
loadmodule ip_nat_proto_gre


Note: There is a warning in http://www.shorewall.net/PPTP.htm#ServerBehind
about LEAF/Bering with the 2.4.20 kernel. This warning is relevant
to 2.4.22-37mdk also.

I have not established whether 2.4.22-37mdk has the patch referred
to in http://www.shorewall.net/PPTP.htm. Is there any way tell
without inspecting the code from which a kernel was built?, so it''s
possible that the way I resolved the problem will only allow one VPN
connection to work.

Regardless of whether the kernel has the patch or not, it''s also
possible
that the above modules are buggy.

On 1 Dec 2004 at 16:08, Taso Hatzi wrote:
> The problem scenario I describe was reported previously in the Shorewall
> lists but its resolution does not seem to have made it into the lists.
> 
> 
> Scenario:
> 
> Windows XP client seeking to establish a VPN connection to a Windows 2003
> Server located behind a Shorewall firewall (running on Mandrake kernel
2.4.22-37mdk).
> 
> The connection cannot be made, the client reports error code 721.
> 
> 
> Discussion:
> 
> Using tcpdump, one can see the client and server talking to each other.
> Towards the end of this dialogue the client asks the server to call
> it back on such-and-such a port, the server tries to do this but the
> firewall rejects the traffic with ICMP destination unreachable. The
> client eventually times out with error code 721.
> 
> The problem, in my case, was fixed by NOT loading the modules:
> 
> loadmodule ip_conntrack_proto_gre
> loadmodule ip_conntrack_pptp
> loadmodule ip_nat_pptp
> loadmodule ip_nat_proto_gre
> 
> 
> Note: There is a warning in http://www.shorewall.net/PPTP.htm#ServerBehind
> about LEAF/Bering with the 2.4.20 kernel. This warning is relevant
> to 2.4.22-37mdk also.
> 
> I have not established whether 2.4.22-37mdk has the patch referred
> to in http://www.shorewall.net/PPTP.htm. Is there any way tell
> without inspecting the code from which a kernel was built?, so
it''s
> possible that the way I resolved the problem will only allow one VPN
> connection to work.
> 
> Regardless of whether the kernel has the patch or not, it''s also
possible
> that the above modules are buggy.
This may or may not be helpful, but I can confirm that multiple VPN 
connections from Win2K clients to NT4 RAS servers work fine here using 
Mandrake kernel 2.4.22-37. We are not using NAT for this - the VPN 
server traffic is routed through the firewall. 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Shawn Wright, I.T. Manager
Shawnigan Lake School
http://www.sls.bc.ca
swright@sls.bc.ca

On Wed, 2004-12-01 at 16:08 +1100, Taso Hatzi wrote:
> Regardless of whether the kernel has the patch or not, it''s also
possible
> that the above modules are buggy.
I seem to recall running into this myself at some point. I couldn''t get
PPTP to work at all through my firewall when those modules were loaded.
And I''m sure that it was a commercial kernel although I don''t
recall if

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Wed, 2004-12-01 at 11:01 -0800, Tom Eastep wrote:
> On Wed, 2004-12-01 at 16:08 +1100, Taso Hatzi wrote:
> 
> > Regardless of whether the kernel has the patch or not, it''s
also possible
> > that the above modules are buggy.
> 
> I seem to recall running into this myself at some point. I
couldn''t get
> PPTP to work at all through my firewall when those modules were loaded.
> And I''m sure that it was a commercial kernel although I
don''t recall if
...it was Mandrake or not (sorry for the quick click of the <send>
button).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom wrote on 01/12/2004 17:03:01:
> On Wed, 2004-12-01 at 11:01 -0800, Tom Eastep wrote:
> > On Wed, 2004-12-01 at 16:08 +1100, Taso Hatzi wrote:
> > 
> > > Regardless of whether the kernel has the patch or not,
it''s also
possible
> > > that the above modules are buggy.
> > 
> > I seem to recall running into this myself at some point. I
couldn''t
get
> > PPTP to work at all through my firewall when those modules were 
loaded.
> > And I''m sure that it was a commercial kernel although I
don''t recall
if 
> 
> ...it was Mandrake or not (sorry for the quick click of the <send>
> button).
> 
Once upon a time, I used those modules here too.  IIRC, 2 or 3 versions of 
my Kernel ago I had some problems - people stopped connecting to the 
remote server when another user was already connected.  My PPTP is working 
in the old way, one Public-IP for each user that connects to the remote 
server.  lsmod tells me they are long gone now ;-(

/I hate PPTP! 

cheers,


________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

On Wed, 2004-12-01 at 17:39 -0200, Eduardo Ferreira
wrote:
> Tom wrote on 01/12/2004 17:03:01:
> Once upon a time, I used those modules here too.  IIRC, 2 or 3 versions of 
> my Kernel ago I had some problems - people stopped connecting to the 
> remote server when another user was already connected.  My PPTP is working 
> in the old way, one Public-IP for each user that connects to the remote 
> server.  lsmod tells me they are long gone now ;-(
Note that those modules are not auto-loaded -- if you want them loaded,
you must configure your system to have them loaded (include them
in /etc/shorewall/modules for example).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key