PPTP thru SUSEfirewall - Networking

This is a discussion on PPTP thru SUSEfirewall - Networking ; Hi. I 'm usually pretty good at solving my own issues but this time, I'm ready for some help... IF there is anyone out there who is up to the challenge. It seems that in my ongoing quest to solve ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: PPTP thru SUSEfirewall

  1. PPTP thru SUSEfirewall

    Hi.

    I 'm usually pretty good at solving my own issues but this time, I'm
    ready for some help... IF there is anyone out there who is up to the
    challenge. It seems that in my ongoing quest to solve this particular
    problem, there are scores of unanswered posts online with the same or
    similar situation that have just been ignored for months or even
    years.

    Anyhow, I have racked my brain on this one and could use some insight.

    I maintain a small and relatively simple network.
    There are about 5 or 6 computers on a small internal network all using
    a SUSE router with firewall enabled. We have NAT enabled and all of us
    have no problem with the network or connection sharing. Port
    forwarding is pretty straight forward as well. However, I am trying to
    set it up so we can use VPN from the outside world and that is where
    the problem lies.
    I have done the research and know that I must forward port 1723 to the
    internal VPN server on our internal LAN and have done that. I have
    also enabled protocol 47 per the instructions found all around the
    Internet. So, I have met the requirements for PPTP as per all of the
    instructables I have read and while I can VPN from our internal LAN to
    a destination, I can not accept incoming VPN connections thru the SUSE
    firewall. I have bypassed the router for testing purposes and
    connected the modem directly to the VPN server and it accepts incoming
    VPN connections just fine that way. But, as soon as the network goes
    back up, the firewall prevents traffic from flowing to the VPN
    server.

    I know that port 1723 is reserved for VPN traffic but it seems, by
    reviewing my firewall logs, that a lot of incoming VPN traffic is not
    originating from port 1723. If that is the case, what ports do I open
    and forward to the VPN server for VPN traffic so we can get these
    outside computers to connect thru our router/firewall?
    What is the point of saying port 1723 is for VPN traffic if there is a
    wide range of ports used for incoming VPN traffic?

    So, could this be the problem? The firewall (SUSE firewall2) is
    blocking the incoming traffic because it is not port 1723 therefore
    has no way to be properly routed? Just a shot in the dark there but it
    seems to be the only sensible answer until I can find one or someone
    answers one of those old, abandoned posts asking basically the same
    question as I am here.

    Any help is greatly appreciated!!

    -Les


  2. Re: PPTP thru SUSEfirewall

    Leslie.E.Zeigler wrote:
    > I can not accept incoming VPN connections thru the SUSE
    > firewall. I have bypassed the router for testing purposes and
    > connected the modem directly to the VPN server and it accepts incoming
    > VPN connections just fine that way. But, as soon as the network goes
    > back up, the firewall prevents traffic from flowing to the VPN
    > server.


    What happens when you try to connect? Can you connect to port 1723 from
    the outside using telnet or netcat? What do your firewall rules look like?

    > I know that port 1723 is reserved for VPN traffic but it seems, by
    > reviewing my firewall logs, that a lot of incoming VPN traffic is not
    > originating from port 1723.


    I would expect that NO incoming VPN traffic originates from port 1723.
    It goes TO port 1723; the source port is irrelevant.

    KR

  3. Re: PPTP thru SUSEfirewall

    On Jul 5, 12:28 pm, KR
    wrote:
    > Leslie.E.Zeigler wrote:
    > > I can not accept incoming VPN connections thru the SUSE
    > > firewall. I have bypassed the router for testing purposes and
    > > connected the modem directly to the VPN server and it accepts incoming
    > > VPN connections just fine that way. But, as soon as the network goes
    > > back up, the firewall prevents traffic from flowing to the VPN
    > > server.

    >
    > What happens when you try to connect? Can you connect to port 1723 from
    > the outside using telnet or netcat? What do your firewall rules look like?
    >
    > > I know that port 1723 is reserved for VPN traffic but it seems, by
    > > reviewing my firewall logs, that a lot of incoming VPN traffic is not
    > > originating from port 1723.

    >
    > I would expect that NO incoming VPN traffic originates from port 1723.
    > It goes TO port 1723; the source port is irrelevant.
    >
    > KR


    Hi KR and thanks for your reply.

    I have not tried to telnet in yet. I am able to get to "verifying user
    name and password" but the connection is usually terminated before
    that step completes. Again, If I bypass the router and connect
    directly to the modem, it authenticates and everything works as it
    should.

    Anyhow, the firewall rules are quite simplistic so far.
    Port 1723 TCP is set to forward to the VPN server.
    Protocol 47 has been opened or enabled.

    I have not found much more information regarding what else I need to
    do though I have read many online tutorials so far. They all pretty
    much cover these few topics. I can see when my "helpers" try to VPN in
    because I can see their ip address as well as their originating port
    and I see this on the VPN server even when it is behind the Suse
    router/firewall. Any idea why they can not finish authenticating? Is
    there more than just port 1723 and protocol 47 I need to open /
    redirect?

    Thanks in advance,
    -Les


  4. Re: PPTP thru SUSEfirewall

    Leslie.E.Zeigler wrote:
    > I have not tried to telnet in yet. I am able to get to "verifying user
    > name and password" but the connection is usually terminated before
    > that step completes. Again, If I bypass the router and connect
    > directly to the modem, it authenticates and everything works as it
    > should.


    This is something of a classic. Since you get to "Verifying...", the TCP
    port 1723 forwarding works as it should. However, it seems the GRE
    packets never reach their destination, since the authentication process
    never completes.

    > Anyhow, the firewall rules are quite simplistic so far.
    > Port 1723 TCP is set to forward to the VPN server.
    > Protocol 47 has been opened or enabled.
    >
    > I have not found much more information regarding what else I need to
    > do though I have read many online tutorials so far. They all pretty
    > much cover these few topics.


    The firewall has to know what to do with the GRE packets. It needs a
    PPTP connetcion tracker and NAT helper, or you'll have to forward all
    GRE packets to the VPN server manually. (The latter will work, but will
    break PPTP connections originating from the inside.)

    Netfilter (the linux firewall) has had a PPTP connection tracker and a
    NAT helper for some time. They used to be called ip_conntrack_pptp and
    ip_nat_pptp respectively, until somewhere between 2.6.19 and 2.6.20 (i
    think), when nf_conntrack_pptp and nf_nat_pptp were introduced.

    Try "modprobe ip_nat_pptp" or "modprobe nf_nat_pptp" (the corresponding
    conntrack module will be loaded automatically) and see what happens.

    KR

  5. Re: PPTP thru SUSEfirewall

    On Jul 5, 9:22 pm, KR
    wrote:
    > Leslie.E.Zeigler wrote:
    > > I have not tried to telnet in yet. I am able to get to "verifying user
    > > name and password" but the connection is usually terminated before
    > > that step completes. Again, If I bypass the router and connect
    > > directly to the modem, it authenticates and everything works as it
    > > should.

    >
    > This is something of a classic. Since you get to "Verifying...", the TCP
    > port 1723 forwarding works as it should. However, it seems the GRE
    > packets never reach their destination, since the authentication process
    > never completes.
    >
    > > Anyhow, the firewall rules are quite simplistic so far.
    > > Port 1723 TCP is set to forward to the VPN server.
    > > Protocol 47 has been opened or enabled.

    >
    > > I have not found much more information regarding what else I need to
    > > do though I have read many online tutorials so far. They all pretty
    > > much cover these few topics.

    >
    > The firewall has to know what to do with the GRE packets. It needs a
    > PPTP connetcion tracker and NAT helper, or you'll have to forward all
    > GRE packets to the VPN server manually. (The latter will work, but will
    > break PPTP connections originating from the inside.)
    >
    > Netfilter (the linux firewall) has had a PPTP connection tracker and a
    > NAT helper for some time. They used to be called ip_conntrack_pptp and
    > ip_nat_pptp respectively, until somewhere between 2.6.19 and 2.6.20 (i
    > think), when nf_conntrack_pptp and nf_nat_pptp were introduced.
    >
    > Try "modprobe ip_nat_pptp" or "modprobe nf_nat_pptp" (the corresponding
    > conntrack module will be loaded automatically) and see what happens.
    >
    > KR


    Hello and thanks again for the reply.
    Unfortunately, this:
    "Try "modprobe ip_nat_pptp" or "modprobe nf_nat_pptp" (the
    corresponding
    conntrack module will be loaded automatically) and see what happens."
    is beyond my understanding of this process. How would I perform this
    task?

    Thanks again,
    -Les


  6. Re: PPTP thru SUSEfirewall



    Leslie.E.Zeigler wrote:
    >> Netfilter (the linux firewall) has had a PPTP connection tracker and a
    >> NAT helper for some time. They used to be called ip_conntrack_pptp and
    >> ip_nat_pptp respectively, until somewhere between 2.6.19 and 2.6.20 (i
    >> think), when nf_conntrack_pptp and nf_nat_pptp were introduced.
    >>
    >> Try "modprobe ip_nat_pptp" or "modprobe nf_nat_pptp" (the corresponding
    >> conntrack module will be loaded automatically) and see what happens.
    >>
    >> KR

    >
    > Hello and thanks again for the reply.
    > Unfortunately, this:
    > "Try "modprobe ip_nat_pptp" or "modprobe nf_nat_pptp" (the
    > corresponding
    > conntrack module will be loaded automatically) and see what happens."
    > is beyond my understanding of this process. How would I perform this
    > task?


    just has root on your SUSE firewall type this command :

    modprobe ip_nat_pptp

    and try to reconnect your vpn client

    >
    > Thanks again,
    > -Les
    >


  7. Re: PPTP thru SUSEfirewall

    On Jul 6, 2:08 am, Philippe WEILL
    wrote:
    > Leslie.E.Zeigler wrote:
    > >> Netfilter (the linux firewall) has had a PPTP connection tracker and a
    > >> NAT helper for some time. They used to be called ip_conntrack_pptp and
    > >> ip_nat_pptp respectively, until somewhere between 2.6.19 and 2.6.20 (i
    > >> think), when nf_conntrack_pptp and nf_nat_pptp were introduced.

    >
    > >> Try "modprobe ip_nat_pptp" or "modprobe nf_nat_pptp" (the corresponding
    > >> conntrack module will be loaded automatically) and see what happens.

    >
    > >> KR

    >
    > > Hello and thanks again for the reply.
    > > Unfortunately, this:
    > > "Try "modprobe ip_nat_pptp" or "modprobe nf_nat_pptp" (the
    > > corresponding
    > > conntrack module will be loaded automatically) and see what happens."
    > > is beyond my understanding of this process. How would I perform this
    > > task?

    >
    > just has root on your SUSE firewall type this command :
    >
    > modprobe ip_nat_pptp
    >
    > and try to reconnect your vpn client
    >
    >
    >
    > > Thanks again,
    > > -Les


    Thank you, Philippe WEILL.
    This seems to be the simplest solution so far so I will try this
    first.

    Regards,
    -Les


  8. Re: PPTP thru SUSEfirewall

    On Jul 6, 6:51 pm, "Leslie.E.Zeigler"
    wrote:
    > On Jul 6, 2:08 am, Philippe WEILL
    > wrote:
    >
    >
    >
    > > Leslie.E.Zeigler wrote:
    > > >> Netfilter (the linux firewall) has had a PPTP connection tracker and a
    > > >> NAT helper for some time. They used to be called ip_conntrack_pptp and
    > > >> ip_nat_pptp respectively, until somewhere between 2.6.19 and 2.6.20 (i
    > > >> think), when nf_conntrack_pptp and nf_nat_pptp were introduced.

    >
    > > >> Try "modprobe ip_nat_pptp" or "modprobe nf_nat_pptp" (the corresponding
    > > >> conntrack module will be loaded automatically) and see what happens.

    >
    > > >> KR

    >
    > > > Hello and thanks again for the reply.
    > > > Unfortunately, this:
    > > > "Try "modprobe ip_nat_pptp" or "modprobe nf_nat_pptp" (the
    > > > corresponding
    > > > conntrack module will be loaded automatically) and see what happens."
    > > > is beyond my understanding of this process. How would I perform this
    > > > task?

    >
    > > just has root on your SUSE firewall type this command :

    >
    > > modprobe ip_nat_pptp

    >
    > > and try to reconnect your vpn client

    >
    > > > Thanks again,
    > > > -Les

    >
    > Thank you, Philippe WEILL.
    > This seems to be the simplest solution so far so I will try this
    > first.
    >
    > Regards,
    > -Les


    modprobe ip_nat_pptp was the fix I needed.
    Everything now works as it should.
    Thanks for all the help and good luck to those who are dealing with
    this same problem. Hope this thread helps you should you happen to
    find it.

    -Les


+ Reply to Thread