| View previous topic :: View next topic |
| Author |
Message |
karaluch
Apprentice
Joined: 23 Apr 2005
Posts: 236
Location: Wrocław / Poland
|
 Posted: Tue Dec 23, 2008 10:22 am Post subject: PPTP VPN Server and iptables |
 |
|
Since gentoo-wiki is down I have samo trouble with for example iptables configuration for PPTP VPN Server
Follow this how-to https://forums.gentoo.org/viewtopic-t-470858-highlight-pptp+howto.html without shorewall
My iptables:
| Code: |
export WAN=eth1
export LAN=eth0
export VPN=ppp0
export LAN_IP=172.16.111.0/255.255.255.0
# VPN PPTP (1723)
iptables -A INPUT -p TCP --dport 1723 -i ${WAN} -j ACCEPT
iptables -A INPUT -p gre -d 172.16.100.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -d 172.16.100.100 -j ACCEPT
iptables -A FORWARD -p gre -d 172.16.111.1 -j ACCEPT
iptables -A FORWARD -p tcp --dport 1723 -d 172.16.111.1 -j ACCEPT
iptables -A PREROUTING -t nat -p gre -d 172.16.100.100 -j DNAT --to-destination 172.16.111.1
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d 172.16.100.100 -j DNAT --to-destination 172.16.111.1:1723
iptables -A FORWARD -i ${VPN} -o ${LAN} -s 172.16.111.0/24 -j ACCEPT
# NAT for VPN-ie (ppp0)
iptables -I FORWARD -i ${VPN} -d ${LAN_IP} -j DROP
iptables -A FORWARD -i ${VPN} -s ${LAN_IP} -j ACCEPT
iptables -t nat -A POSTROUTING -o ${VPN} -j MASQUERADE |
From LAN: Everything is working
From WAN: I get error 619 in Windows XP
And my logs:
| Code: | Dec 18 12:55:03 Serwer pptpd[3948]: GRE: read(fd=6,buffer=8059560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Dec 18 12:55:03 Serwer pptpd[3948]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Dec 18 12:55:03 Serwer pptpd[3948]: CTRL: Reaping child PPP[3949]
Dec 18 12:55:03 Serwer pptpd[3948]: CTRL: Client 0.0.0.0 control connection finished
Dec 18 12:55:04 Serwer pptpd[4087]: CTRL: Client 0.0.0.0 control connection started
Dec 18 12:55:04 Serwer pptpd[4087]: CTRL: Starting call (launching pppd, opening GRE)
Dec 18 12:55:04 Serwer pppd[4088]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Dec 18 12:55:04 Serwer pppd[4088]: pppd 2.4.4 started by root, uid 0
Dec 18 12:55:04 Serwer pppd[4088]: Using interface ppp0
Dec 18 12:55:04 Serwer pppd[4088]: Connect: ppp0 <--> /dev/pts/19
Dec 18 12:55:34 Serwer pppd[4088]: LCP: timeout sending Config-Requests
Dec 18 12:55:34 Serwer pppd[4088]: Connection terminated.
Dec 18 12:55:34 Serwer pppd[4088]: Modem hangup
Dec 18 12:55:34 Serwer pppd[4088]: Exit.
Dec 18 12:55:34 Serwer pptpd[4087]: GRE: read(fd=6,buffer=8059560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Dec 18 12:55:34 Serwer pptpd[4087]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Dec 18 12:55:34 Serwer pptpd[4087]: CTRL: Reaping child PPP[4088]
Dec 18 12:55:34 Serwer pptpd[4087]: CTRL: Client 0.0.0.0 control connection finished
Dec 18 12:55:36 Serwer pptpd[4223]: CTRL: Client 0.0.0.0 control connection started
Dec 18 12:55:36 Serwer pptpd[4223]: CTRL: Starting call (launching pppd, opening GRE)
Dec 18 12:55:36 Serwer pppd[4226]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Dec 18 12:55:36 Serwer pppd[4226]: pppd 2.4.4 started by root, uid 0
Dec 18 12:55:36 Serwer pppd[4226]: Using interface ppp0
Dec 18 12:55:36 Serwer pppd[4226]: Connect: ppp0 <--> /dev/pts/19
Dec 18 12:56:06 Serwer pppd[4226]: LCP: timeout sending Config-Requests
Dec 18 12:56:06 Serwer pppd[4226]: Connection terminated.
Dec 18 12:56:06 Serwer pppd[4226]: Modem hangup
Dec 18 12:56:06 Serwer pppd[4226]: Exit.
Dec 18 12:56:06 Serwer pptpd[4223]: GRE: read(fd=6,buffer=8059560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Dec 18 12:56:06 Serwer pptpd[4223]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Dec 18 12:56:06 Serwer pptpd[4223]: CTRL: Reaping child PPP[4226]
Dec 18 12:56:06 Serwer pptpd[4223]: CTRL: Client 0.0.0.0 control connection finished |
* 0.0.0.0 is my private WAN address
I need some help because I don't have any idea - Where is my mistake |
|
| Back to top |
|
 |
bbgermany
Veteran
Joined: 21 Feb 2005
Posts: 1844
Location: Oranienburg/Germany
|
| Posted: Tue Dec 23, 2008 12:01 pm Post subject: |
|
|
This could be an issue of the conntrack modules. Do you have NF_CONNTRACK_PPTP enabled on the firewall, since GRE packets need a special NAT helper modules.
bb
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB |
|
| Back to top |
|
|
karaluch
Apprentice
Joined: 23 Apr 2005
Posts: 236
Location: Wrocław / Poland
|
| Posted: Tue Dec 23, 2008 12:34 pm Post subject: |
|
|
| Probably that is my problem but why is the reason that PPTP is working from LAN side? |
|
| Back to top |
|
|
bbgermany
Veteran
Joined: 21 Feb 2005
Posts: 1844
Location: Oranienburg/Germany
|
| Posted: Tue Dec 23, 2008 12:36 pm Post subject: |
|
|
maybe coz your in the same network?
bb
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB |
|
| Back to top |
|
|
karaluch
Apprentice
Joined: 23 Apr 2005
Posts: 236
Location: Wrocław / Poland
|
| Posted: Tue Dec 23, 2008 2:30 pm Post subject: |
|
|
NF_CONNTRACK_PPTP is not enough. I have enabled this options in kernel but i have still the same problem:
| Code: | GRE: read(fd=6,buffer=8059560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Dec 18 12:56:06 Serwer pptpd[4223]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7) |
|
|
| Back to top |
|
|
bbgermany
Veteran
Joined: 21 Feb 2005
Posts: 1844
Location: Oranienburg/Germany
|
| Posted: Tue Dec 23, 2008 2:57 pm Post subject: |
|
|
I found this while looking at google:
http://www.nabble.com/Unable-to-get-MPPE-working-td15692333.html
maybe this helps you as well.
bb
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB |
|
| Back to top |
|
|
karaluch
Apprentice
Joined: 23 Apr 2005
Posts: 236
Location: Wrocław / Poland
|
| Posted: Tue Dec 23, 2008 9:27 pm Post subject: |
|
|
I have read that article but I don't have idea where is the problem, in:
- kernel
- iptables
- pptpd configuration
----
my kernel:
| Code: | #
# Networking
#
CONFIG_NET=y
#
# Networking options
#
CONFIG_PACKET=y
CONFIG_UNIX=y
CONFIG_XFRM=y
CONFIG_XFRM_USER=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
CONFIG_IP_FIB_HASH=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_IP_PNP_BOOTP=y
CONFIG_IP_PNP_RARP=y
CONFIG_NET_IPGRE=y
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_ARPD=y
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
CONFIG_TCP_CONG_CUBIC=y
CONFIG_DEFAULT_TCP_CONG="cubic"
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
#
# Core Netfilter Configuration
#
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CT_ACCT=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CT_PROTO_GRE=y
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_PPTP=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=y
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
#
# IP: Netfilter Configuration
#
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_ADDRTYPE=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_NF_NAT=y
CONFIG_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_NF_NAT_PROTO_GRE=y
CONFIG_NF_NAT_FTP=y
CONFIG_NF_NAT_PPTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_NET_SCHED=y |
/etc/ppp/options.pptpd
| Code: | name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd |
One more time - from LAN side is working but from WAN side I get 619 error code in Win XP Pro like a client PPTP |
|
| Back to top |
|
|
karaluch
Apprentice
Joined: 23 Apr 2005
Posts: 236
Location: Wrocław / Poland
|
| Posted: Mon Dec 29, 2008 8:27 am Post subject: |
|
|
| Any ideas ? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
