Notices
Non Scooby Related Anything Non-Scooby related

MS PPTP VPNs and NAT

Thread Tools
 
Search this Thread
 
Old 01 December 2001 | 09:41 PM
  #1  
dsmith's Avatar
dsmith
Thread Starter
Scooby Regular
 
Joined: Mar 1999
Posts: 4,518
Likes: 0
Post

Trying to sort out some Internet Sharing for My Parents PCs. I've got smoothwall running on an old 486 beautifully with a std dial-up ISP account. All standard web access works a treat.

Unfortunately my Dad has a MS VPN connection to Work. This works just fine from his PC with a normal internet connection (Same Dial-Up account/modem/isp etc as the smoothwall box) but fails miserably to connect via the Smoothwall.

I guess it must be the NAT on the smoothwall box that is killing it. I've done a tcpdump and the connection is hitting the smoothwall and being natted fine. The right module is loaded to nat (masquerade) the pptp connection and looks like it is being used. But the connection just never happens. From the tcpdump it looks like the VPN server never replies. (it pings just fine though). The smoothwall box is just a cut down linux kernel 2.2.something.

Has anybody got a standard MS VPN client to connect through a NAT router/firewall/linux box etc ? Does the PPTP checksum the packets so that NAT will kill it ?

Any tips on how to get it going ?

Client is Win98SE

Ta

Deano


Old 01 December 2001 | 11:13 PM
  #2  
stevem2k's Avatar
stevem2k
Scooby Regular
 
Joined: Sep 2001
Posts: 4,670
Likes: 0
From: Kingston ( Surrey, not Jamaica )
Post

Just a couple of daft questions while I wade through the smoothwall 'users' mail archive ...

Is TCP port 1723 open ? have you forwarded PROTOCOL 47 ( GRE ) as well ( see below )?

Put this line at the very bottom of the
/etc/rc.d/rc.network file and reboot:

/usr/local/bin/ipfwd --masq PPTP_SERVER_IP 47 &


SteveM



Old 04 December 2001 | 01:16 AM
  #3  
dsmith's Avatar
dsmith
Thread Starter
Scooby Regular
 
Joined: Mar 1999
Posts: 4,518
Likes: 0
Post

Steve

Also poking through the list archives (by mailing the list for 100 replies at a time zzzzzzz) ahve you found a web based archive ?

Digging through the setup files all outbound ports are open and protocol 47 is masqueraded. an lsmod gives masq_pptp as loaded.

I think the problem may be the other end. A telnet on pprt 1723 from the smoothwall box itself connects the basic TCP session Ok. There is no nat and the source port is in the low 1000 e.g. 1283

A telnet from a box behind the smoothwall is natted and fails even to connect at the TCP - level. tcpdump shows no return packets. The source port is masqueraded to the high 60000s e.g. 61024.

I suspect the F/W the other end may have a slight config odditiy which restricts the source ports connecting through to the to dest port 1723. god knows why or how.

I'll try and get nmap on an appropriate box and poke around the f/w with different source ports.

Dean
Old 04 December 2001 | 07:20 AM
  #4  
dowser's Avatar
dowser
Scooby Senior
 
Joined: Oct 2000
Posts: 3,105
Likes: 0
From: Zurich, Switzerland
Post

Have you set-up the NAT in the arp cache of the internal interface on the f/w (so that it answers arp requests for this address)? Sounds like the 1st packet gets through and the internal host tries to respond with an arp request...that isn't answered. Sniffer software will confirm.

Richard
Old 04 December 2001 | 12:05 PM
  #5  
dsmith's Avatar
dsmith
Thread Starter
Scooby Regular
 
Joined: Mar 1999
Posts: 4,518
Likes: 0
Post

The arps all work ok. Std Web browsing,ftp,ping all work fine from the clients inside the firewall. Its just no connection on port 1723 for pptp.

I guess I could set up a box with win2k server here and see if I can connect to that across the firewall....... Hmmm wheres those cds.
Old 04 December 2001 | 01:07 PM
  #6  
kryten's Avatar
kryten
Scooby Regular
 
Joined: May 2000
Posts: 869
Likes: 0
Post

Er, does smoothwall directly support NATted VPN connections?

The problem is usually that while the packets get through, the whole NAT thing changes the IP address, which invalidates all the checksums on the packet.

Device at the other ends gets sent 'duff' packets and ignores them.

I can do everything fine on my router except VPN if I have it doing NAT as it doesn't support the ipsec tunnel.
Old 04 December 2001 | 01:19 PM
  #7  
David_Wallis's Avatar
David_Wallis
Scooby Regular
 
Joined: Nov 2001
Posts: 15,239
Likes: 1
From: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Post

is the NAT f*7cking things up, in that they have only allowed him to connect from a specific IP Address...

David
Old 04 December 2001 | 11:09 PM
  #8  
stevem2k's Avatar
stevem2k
Scooby Regular
 
Joined: Sep 2001
Posts: 4,670
Likes: 0
From: Kingston ( Surrey, not Jamaica )
Post

dsmith,

There's a full VPN guide about to go up on the smoothwall site.
Should have some NAT troubleshooting content.

Steve
Old 05 December 2001 | 02:54 PM
  #9  
roadrunner's Avatar
roadrunner
Scooby Regular
 
Joined: May 2001
Posts: 730
Likes: 0
Smile

Deano - let me know if you want some good IPSec/VPN guides.

rr
Old 05 December 2001 | 03:33 PM
  #10  
ptholt's Avatar
ptholt
Scooby Regular
 
Joined: Dec 1999
Posts: 3,846
Likes: 0
Post

i was looking into this, and from what i could see theres currently no software based VPN that appears to cope with NAT due to specific ip addressing........

am hoping someones gonna shout out and tell me otherwise, but im struggling to find anything.
Old 05 December 2001 | 03:42 PM
  #11  
dsmith's Avatar
dsmith
Thread Starter
Scooby Regular
 
Joined: Mar 1999
Posts: 4,518
Likes: 0
Post

There is no doubt that PPTP client to Server VPN can work through NAT if the NAT server does it properly - there is a linux masquerade module to do it and other people have (allegedly) got it to work + I know for a fact that this connections natted by FW-1 on the way in to the server end. Cisco IOS can also nat PPTP connections.

In General many VPN solutions do fail due to NAT. (We have just gone through this for a new application.) One of the primary purposes of VPN is to prevent IP packets being tampered with. The primary role of NAT is to tamper with IP packets. Which is the fundamental conflict.

I believe IPSec has two modes one of which can be made to work though NAT if care is taken with Key transfers.

This articles has some interesting pointers..http://www.isp-planet.com/technology/nat_ipsec.html.

Old 05 December 2001 | 04:03 PM
  #12  
dowser's Avatar
dowser
Scooby Senior
 
Joined: Oct 2000
Posts: 3,105
Likes: 0
From: Zurich, Switzerland
Post

A lot of the VPN problems I've come across are related to cable modem providers - they general NAT their cable modem network onto the Internet & it depends how they do the udp traffic.

I've a list of OK provers somewhere, I'll try to dig it out if you're trying to do it via cable modem?

Richard
Related Topics
Thread
Thread Starter
Forum
Replies
Last Post
dsmith
Computer & Technology Related
18
13 November 2002 11:28 PM
gregh
Computer & Technology Related
9
31 October 2002 07:48 PM
ozzy
Computer & Technology Related
9
28 October 2002 11:57 AM
IanW
Computer & Technology Related
6
02 October 2002 04:21 AM
roadrunner
Non Scooby Related
7
14 December 2001 01:19 PM




All times are GMT +1. The time now is 01:18 PM.