hy! I have set up Shorewall on my router box - on the same machine I have a PPTP-server running. Thanks to the guide on the shorewall site I had it up and running in less than a day. But there are still some minor problems with that configuration. My network looks like this: LAN ----- Router/Shorewall/PPTPD ----- Internet ------- Some other Computer When somebody connects to my router from outside things work properly -> he/she can connect to the router over the PPP link. I can also reach the newly connected computer from inside the LAN - but not vice versa. That means the other computer cannot reach any computer in the LAN but the router. What can I do that this is possible? The other strange thing is with some windows client: A Windows client can connect to the pptpd without problems when there are no other tunnels from the lan to the internet. But as soon as someone establishes a pptp tunnel to a server outside - I cannot connect from outside anymore :( I''m not sure wheter this has something to do with shorewall, but I hope there is someone who had the same problem, an hopefully some solution for it. Basically I use the two-interface example and the "Basic Setup" of the PPTP guide on shorewall.net. I''ve attached the status.txt for the second problem - the one for the first will come soon. In this case 192.168.0.1 creates a tunnel to a server 195.70.107.162 and then a client with 172.28.20.160 tries to connect to my router ... and the attempt fails with: Oct 22 16:01:17 Mithril pptpd[6530]: GRE: xmit failed from decaps_hdlc: Operation not permitted Oct 22 16:01:17 Mithril pptpd[6530]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7) thanks in advance for any suggestions and help Roman
On Saturday 22 October 2005 07:18, Roman wrote:> > When somebody connects to my router from outside things work properly -> > he/she can connect to the router over the PPP link. I can also reach the > newly connected computer from inside the LAN - but not vice versa. That > means the other computer cannot reach any computer in the LAN but the > router. What can I do that this is possible?I can''t tell without seeing your pptpd configuration but I notice that you are masquerading connections out of the ppp+ devices so I would guess that it is a routing problem.> > The other strange thing is with some windows client: A Windows client > can connect to the pptpd without problems when there are no other > tunnels from the lan to the internet. But as soon as someone establishes > a pptp tunnel to a server outside - I cannot connect from outside > anymore :( I''m not sure wheter this has something to do with shorewall, > but I hope there is someone who had the same problem, an hopefully some > solution for it. >These symptoms are caused by the lack of PPTP Connection/NAT helpers in your kernel. Some distributions include the patches that provide those helpers and some don''t. Unfortunately, with recent kernels, people are reporting on the Netfilter list that they have not been able to apply those patches and get them to work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Saturday 22 October 2005 07:18, Roman wrote:> > I''ve attached the status.txt for the second problem - the one for the > first will come soon. In this case 192.168.0.1 creates a tunnel to a > server 195.70.107.162 and then a client with 172.28.20.160 tries to > connect to my router ... and the attempt fails with:172.28.20.160 is an address reserved by RFC 1918 -- where is it trying to connect from? I notice that you have ''norfc1918'' specified on ppp0 yet the peer IP address is also an RFC 1918-reserved address. You might want to rethink using that option. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>172.28.20.160 is an address reserved by RFC 1918 -- where is it trying to >connect from? >This is only an internal adress - the computer is part of another VPN ... most probably its adress is masqueraded. It will probably apear with an 195.* IP on the internet...> I notice that you have ''norfc1918'' specified on ppp0 yet the >peer IP address is also an RFC 1918-reserved address. You might want to >rethink using that option. > >Yes I''m going to remove this option. I changed my internet provider lately - previously it was not a RFC1918 adress - thanks!>-Tom > >Roman ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
Hy again! Tom Eastep wrote:>I can''t tell without seeing your pptpd configuration but I notice that you are >masquerading connections out of the ppp+ devices so I would guess that it is >a routing problem. > >Yes I think too that it is a routing problem. Here are my config files (attached). I do masquerade the ppp+ connections. Before I did that - I was not able to reach a connected peer from inside the LAN...>These symptoms are caused by the lack of PPTP Connection/NAT helpers in your >kernel. Some distributions include the patches that provide those helpers and >some don''t. Unfortunately, with recent kernels, people are reporting on the >Netfilter list that they have not been able to apply those patches and get >them to work. > > >So this seems to be a similar problem to that described in http://www.shorewall.net/PPTP.htm#ClientsBehind. I don''t think that I need to resolve this right now. This situation will be very very rare. I just mentioned it because I thought that it may be related with the first problem ... But at least I know now what''s to do with this ... thanks again!
On Saturday 22 October 2005 08:36, Roman wrote:> Hy again! > > Tom Eastep wrote: > >I can''t tell without seeing your pptpd configuration but I notice that you > > are masquerading connections out of the ppp+ devices so I would guess > > that it is a routing problem. > > Yes I think too that it is a routing problem. Here are my config files > (attached). > > I do masquerade the ppp+ connections. Before I did that - I was not able > to reach a connected peer from inside the LAN...Symptom of the same problem -- the remote client routing table needs to be modified to include a route to your local network via the peer (192.168.0.127). Unfortunately, PPTP doesn''t define a way for the server to push that type of routing information to the client like OpenVPN does so the client''s have to be configured to add the route. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Saturday 22 October 2005 08:52, Tom Eastep wrote:> > Symptom of the same problem -- the remote client routing table needs to be > modified to include a route to your local network via the peer > (192.168.0.127). Unfortunately, PPTP doesn''t define a way for the server to > push that type of routing information to the client like OpenVPN does so > the client''s have to be configured to add the route.In some cases, the remote clients can just be configured to use the PPTP tunnel as their default route which will also solve this problem. As I recall, when you can''t take that approach then it''s a manual process to configure routing. I seem to remember having a .com file to set up my routing after I connected to home via PPTP -- I''ve been using OpenVPN for so long that I''m a little fuzzy on the details of PPTP (you probably noticed that I''m no longer trying to maintain the PPTP document because I simply don''t have the time to keep up with that VPN type). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Saturday 22 October 2005 08:52, Tom Eastep wrote:> > Symptom of the same problem -- the remote client routing table needs to be > modified to include a route to your local network via the peer > (192.168.0.127). Unfortunately, PPTP doesn''t define a way for the server to > push that type of routing information to the client like OpenVPN does so > the client''s have to be configured to add the route.s/client''s/clients/ -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi! Tom Eastep wrote:>As I recall, when you can''t take that approach then it''s a manual process to >configure routing. I seem to remember having a .com file to set up my routing >after I connected to home via PPTP -- I''ve been using OpenVPN for so long >that I''m a little fuzzy on the details of PPTP (you probably noticed that I''m >no longer trying to maintain the PPTP document because I simply don''t have >the time to keep up with that VPN type). >adding the route did help me. thanks alot. I don''t really want to use pptp but I have only windows at work and therefore my possibilities are limited ... but I consider using openvpn for linux clients ... ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
On Saturday 22 October 2005 09:44, Roman wrote:> > adding the route did help me. thanks alot. > > I don''t really want to use pptp but I have only windows at work and > therefore my possibilities are limited ... but I consider using openvpn > for linux clients ... >OpenVPN works great on Windows too. There are a couple of nice GUIs for it also. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > I don''t really want to use pptp but I have only windows at work and > therefore my possibilities are limited ... but I consider using openvpn > for linux clients ... >OpenVPN is cross-platform and works very well under Windows. I just this past week replaced my PPTP installation with it. ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
Cyber Dog wrote:>>I don''t really want to use pptp but I have only windows at work and >>therefore my possibilities are limited ... but I consider using openvpn >>for linux clients ... >> >> >> > >OpenVPN is cross-platform and works very well under Windows. I just >this past week replaced my PPTP installation with it. > >Then I suppose I know now what I will do next week :D ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information