Shorewall users - Sep 2006 - Shorewall and VPN connection

Hi all,

I''m currently trying to connect to my University VPN through my laptop
running Linux and a shorewall firewall.
My laptop is behind a US Robotics 8003 router DMZ. I''m using
pptpconfig to connect. I''m getting this as debug info from pptpconfig:
pptpconfig: debug information dump begins
WARNING: security sensitive information follows
pptpconfig 1.8 2006/04/06 06:22:26
# pppd --version
pppd version 2.4.3
# uname -a
Linux euler 2.6.17-gentoo-r7 #1 SMP Wed Sep 6 23:57:16 WEST 2006 i686
Mobile Intel(R) Pentium(R) 4 - M CPU 2.20GHz GenuineIntel GNU/Linux
# modinfo ppp_mppe || modinfo ppp_mppe_mppc
filename:       /lib/modules/2.6.17-gentoo-r7/kernel/drivers/net/ppp_mppe.ko
author:         Frank Cusack <fcusack@fcusack.com>
description:    Point-to-Point Protocol Microsoft Point-to-Point
Encryption support
license:        Dual BSD/GPL
alias:          ppp-compress-18
version:        1.0.2
vermagic:       2.6.17-gentoo-r7 SMP mod_unload PENTIUM4 REGPARM
4KSTACKS gcc-4.1
depends:        ppp_generic
srcversion:     6B88E623CA7C4D7FE2F11FA
# grep mppe /proc/modules
Array
(
    [name] => UoS VPN
    [server] => sucs-ras.soton.ac.uk
    [domain] =>
    [username] => pocm
    [password] => (hidden by pptpconfig)
    [pppd-options] =>
    [pptp-options] =>
    [resolv] =>
    [dns-options] =>
    [routing] => routing_client_to_lan
    [usepeerdns] => 1
    [require-mppe] => 1
    [nomppe-40] =>
    [nomppe-128] =>
    [refuse-eap] => 1
    [mppe-stateful] =>
    [autostart] =>
    [iconify] =>
    [persist] =>
    [debug] => 1
    [client-to-lan] =>
)
# route -n (before pppd)
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.123.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.123.254 0.0.0.0         UG    0      0        0 eth0
pptpconfig: debug information dump ends, starting pppd
pppd options in effect:
debug		# (from /etc/ppp/peers/UoS%20VPN)
updetach		# (from command line)
logfd 1		# (from command line)
linkname UoS%20VPN		# (from /etc/ppp/peers/UoS%20VPN)
dump		# (from /etc/ppp/peers/UoS%20VPN)
noauth		# (from /etc/ppp/options.pptp)
refuse-chap		# (from /etc/ppp/options.pptp)
refuse-mschap		# (from /etc/ppp/options.pptp)
refuse-eap		# (from /etc/ppp/options.pptp)
name pocm		# (from /etc/ppp/peers/UoS%20VPN)
remotename UoS%20VPN		# (from /etc/ppp/peers/UoS%20VPN)
		# (from /etc/ppp/options.pptp)
pty pptp sucs-ras.soton.ac.uk --nolaunchpppd 		# (from /etc/ppp/peers/UoS%20VPN)
ipparam UoS%20VPN		# (from /etc/ppp/peers/UoS%20VPN)
usepeerdns		# (from /etc/ppp/peers/UoS%20VPN)
nobsdcomp		# (from /etc/ppp/options.pptp)
nodeflate		# (from /etc/ppp/options.pptp)
require-mppe		# (from /etc/ppp/peers/UoS%20VPN)
using channel 1
Using interface ppp0pptpconfig: monitoring interface ppp0

Connect: ppp0 <--> /dev/pts/4
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xbc9f8fb8>
<pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xbc9f8fb8>
<pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xbc9f8fb8>
<pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xbc9f8fb8>
<pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xbc9f8fb8>
<pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xbc9f8fb8>
<pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xbc9f8fb8>
<pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xbc9f8fb8>
<pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xbc9f8fb8>
<pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xbc9f8fb8>
<pcomp> <accomp>]
LCP: timeout sending Config-Requests
Connection terminated.
Modem hangup
Waiting for 1 child processes...
  script pptp sucs-ras.soton.ac.uk --nolaunchpppd , pid 351
sending SIGTERM to process 351
Script pptp sucs-ras.soton.ac.uk --nolaunchpppd  finished (pid 351),
status = 0x0
# route -n (after pppd exit)
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.123.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.123.254 0.0.0.0         UG    0      0        0 eth0
pptpconfig: pppd process terminated by signal 16 (failed)
pptpconfig: SIGUSR1
# route -n (after completion)
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.123.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.123.254 0.0.0.0         UG    0      0        0 eth0

Following the problem diagnosis section from pptpclient.sf.net I
understand that I need to run tcpdump, so I did and I understand the
problem after all:
#  tcpdump -i eth0 | grep soton.ac.uk
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
13:03:53.929064 IP sucs-ras.soton.ac.uk.1723 > 192.168.123.101.44181:
P 3325925107:3325925263(156) ack 1899407254 win 65379
<nop,nop,timestamp 21958321 1694159>: pptp [|pptp]
13:03:53.929123 IP 192.168.123.101.44181 > sucs-ras.soton.ac.uk.1723:
. ack 156 win 432 <nop,nop,timestamp 1695025 21958321>
13:03:53.934212 IP 192.168.123.101.44181 > sucs-ras.soton.ac.uk.1723:
P 1:169(168) ack 156 win 432 <nop,nop,timestamp 1695026 21958321>:
pptp [|pptp]
13:03:54.065727 IP sucs-ras.soton.ac.uk.1723 > 192.168.123.101.44181:
P 156:188(32) ack 169 win 65211 <nop,nop,timestamp 21958322 1695026>:
pptp [|pptp]
13:03:54.066360 IP 192.168.123.101 > sucs-ras.soton.ac.uk: GREv1, call
963, seq 1, length 36: LCP, Conf-Request (0x01), id 1, length 22
13:03:54.066405 IP 192.168.123.101 > sucs-ras.soton.ac.uk: GREv1, call
963, seq 2, length 36: LCP, Conf-Request (0x01), id 1, length 22
13:03:54.104818 IP 192.168.123.101.44181 > sucs-ras.soton.ac.uk.1723:
. ack 188 win 432 <nop,nop,timestamp 1695069 21958322>
13:03:54.237501 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
0, ack 2, length 73: LCP, Conf-Request (0x01), id 0, length 55
13:03:54.238537 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
1, length 36: LCP, Conf-Ack (0x02), id 1, length 22
13:03:54.245943 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
2, length 36: LCP, Conf-Ack (0x02), id 1, length 22
13:03:56.508228 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
3, length 69: LCP, Conf-Request (0x01), id 1, length 55
13:03:56.939051 IP 192.168.123.101 > sucs-ras.soton.ac.uk: GREv1, call
963, seq 3, length 36: LCP, Conf-Request (0x01), id 1, length 22
13:03:57.055621 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
4, ack 3, length 40: LCP, Conf-Ack (0x02), id 1, length 22
13:03:59.946960 IP 192.168.123.101 > sucs-ras.soton.ac.uk: GREv1, call
963, seq 4, length 36: LCP, Conf-Request (0x01), id 1, length 22
13:04:00.021062 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
5, ack 4, length 40: LCP, Conf-Ack (0x02), id 1, length 22
13:04:00.548300 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
6, length 69: LCP, Conf-Request (0x01), id 2, length 55
13:04:02.951069 IP 192.168.123.101 > sucs-ras.soton.ac.uk: GREv1, call
963, seq 5, length 36: LCP, Conf-Request (0x01), id 1, length 22
13:04:03.123290 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
7, ack 5, length 40: LCP, Conf-Ack (0x02), id 1, length 22
13:04:04.509145 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
8, length 69: LCP, Conf-Request (0x01), id 3, length 55
13:04:05.956717 IP 192.168.123.101 > sucs-ras.soton.ac.uk: GREv1, call
963, seq 6, length 36: LCP, Conf-Request (0x01), id 1, length 22
13:04:06.018947 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
9, ack 6, length 40: LCP, Conf-Ack (0x02), id 1, length 22
13:04:08.507583 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
10, length 69: LCP, Conf-Request (0x01), id 4, length 55
13:04:08.959587 IP 192.168.123.101 > sucs-ras.soton.ac.uk: GREv1, call
963, seq 7, length 36: LCP, Conf-Request (0x01), id 1, length 22
13:04:09.172869 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
11, ack 7, length 40: LCP, Conf-Ack (0x02), id 1, length 22
13:04:11.964693 IP 192.168.123.101 > sucs-ras.soton.ac.uk: GREv1, call
963, seq 8, length 36: LCP, Conf-Request (0x01), id 1, length 22
13:04:12.043471 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
12, ack 8, length 40: LCP, Conf-Ack (0x02), id 1, length 22
13:04:12.568212 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
13, length 69: LCP, Conf-Request (0x01), id 5, length 55
13:04:14.968522 IP 192.168.123.101 > sucs-ras.soton.ac.uk: GREv1, call
963, seq 9, length 36: LCP, Conf-Request (0x01), id 1, length 22
13:04:15.057896 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
14, ack 9, length 40: LCP, Conf-Ack (0x02), id 1, length 22
13:04:16.538990 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
15, length 69: LCP, Conf-Request (0x01), id 6, length 55
13:04:17.972053 IP 192.168.123.101 > sucs-ras.soton.ac.uk: GREv1, call
963, seq 10, length 36: LCP, Conf-Request (0x01), id 1, length 22
13:04:18.059154 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
16, ack 10, length 40: LCP, Conf-Ack (0x02), id 1, length 22
13:04:20.528900 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
17, length 69: LCP, Conf-Request (0x01), id 7, length 55
13:04:25.399004 IP sucs-ras.soton.ac.uk > 0.0.0.0: GREv1, call 0, seq
18, length 69: LCP, Conf-Request (0x01), id 8, length 55
13:04:26.009128 IP 192.168.123.101.44181 > sucs-ras.soton.ac.uk.1723:
P 169:185(16) ack 188 win 432 <nop,nop,timestamp 1703044 21958322>:
pptp [|pptp]
13:04:26.009265 IP 192.168.123.101.44181 > sucs-ras.soton.ac.uk.1723:
F 185:185(0) ack 188 win 432 <nop,nop,timestamp 1703044 21958322>
13:04:26.076656 IP sucs-ras.soton.ac.uk.1723 > 192.168.123.101.44181:
P 188:336(148) ack 185 win 65195 <nop,nop,timestamp 21958643 1703044>:
pptp [|pptp]
13:04:26.076711 IP 192.168.123.101.44181 > sucs-ras.soton.ac.uk.1723:
R 1899407438:1899407438(0) win 0
13:04:26.083616 IP sucs-ras.soton.ac.uk.1723 > 192.168.123.101.44181:
F 336:336(0) ack 186 win 65195 <nop,nop,timestamp 21958643 1703044>
13:04:26.083670 IP 192.168.123.101.44181 > sucs-ras.soton.ac.uk.1723:
R 1899407439:1899407439(0) win 0
5571 packets captured
11894 packets received by filter
725 packets dropped by kernel
What seems strange to me is the 0.0.0.0 address.

I have also followed the shorewall config behind VPN
(http://www.shorewall.net/PPTP.htm#ClientFW )with shorewall 3.0.7.

So I have the following config for VPN besides the one which was
already working for me.
zones:
uos     ipv4
interfaces:
-       ppp+
tunnels:
pptpclient              net     0.0.0.0/0
hosts:
uos     ppp+:!192.168.1.0/24

Note, that I can connect through Windows XP, also behind the US
Robotics Router, so the problem is within Linux. Do you think this is
some configuration issue with shorewall?

Thanks in advance,

-- 
Paulo Jorge Matos - pocm at soton.ac.uk
University of Southampton, UK

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Paulo J. Matos wrote:
> Hi all,
> 
> I''m currently trying to connect to my University VPN through my
laptop
> running Linux and a shorewall firewall.
...
> Note, that I can connect through Windows XP, also behind the US
> Robotics Router, so the problem is within Linux. Do you think this is
> some configuration issue with shorewall?
I doubt it but why don''t you turn off Shorewall (/sbin/shorewall clear)
and find
out? And if you need additional help, please see
http://www.shorewall.net/support.htm for information about what we like to see
in a problem report to help solve connection problems.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On 9/11/06, Tom Eastep <teastep@shorewall.net>
wrote:
> Paulo J. Matos wrote:
> > Hi all,
> >
> > I''m currently trying to connect to my University VPN through
my laptop
> > running Linux and a shorewall firewall.
>
> ...
>
> > Note, that I can connect through Windows XP, also behind the US
> > Robotics Router, so the problem is within Linux. Do you think this is
> > some configuration issue with shorewall?
>
> I doubt it but why don''t you turn off Shorewall (/sbin/shorewall
clear) and find
> out?
You''re right! :-)
That''s a simple way to find out... which didn''t come to
mind... Well,
tested it and in fact, it has nothing to do with shorewall.

Well, need to find another source for the problem then.

Thanks,

Paulo Matos
> And if you need additional help, please see
> http://www.shorewall.net/support.htm for information about what we like to
see
> in a problem report to help solve connection problems.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
>

-- 
Paulo Jorge Matos - pocm at soton.ac.uk
University of Southampton, UK

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642