vpn w/ pptp?

#1 (**permalink**) 02-16-2008, 04:49 AM

Hello,

I'm having some trouble getting a WinXP client to connect to a win2k
vpn server, passing through an OBSD 3.3 box, using pptp. I've attached the
parts of the pf.conf pertaining to the pass through. Along w/ some info
from tcpdump. In addition, on the XP client, I am getting a host not
responding error after it sits for awhile trying to verify the username and
password. On the 2k server using MS network monitor, and filtering for pptp,
udp, gre packets I am not seeing anything coming from the internal
interface. Can anyone please point out what I've done wrong?

# $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $ # # See
pf.conf(5) and /usr/share/pf for syntax and examples. # Required order:
options, normalization, queueing, translation, filtering. # Macros and
tables may be defined and used anywhere. # Note that translation rules are
first match while filter rules are last match.

# Macros: define common values, so they can be referenced and changed
easily. #internal_net="10.1.1.1/8" #external_addr="192.168.1.1"
################################################## ###############

# define variables

ExtIF="ep0"

PrvIF="xl0"

NoGoIPs="{ 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8, 0.0.0.0/8,
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23,

224.0.0.0/3 }"

PrivateIPs="192.168.x.x/xx"

# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities. scrub in all fragment reassemble

################################################## ###############

# NAT

nat on ep0 from 192.168.x.x/xx to any -> x.x.x.x

nat on $ExtIF proto 47 from 192.168.x.x/xx to any -> x.x.x.x

################################################## ###############

# Internet (ep0)

#

rdr on $ExtIF proto { tcp, udp } from any to any port 1723 -> 192.168.x.x
port 1723

rdr on $ExtIF proto 47 from any to any -> 192.168.x.x

################################################## ###############

# stop all IPv6 traffic

block in quick inet6 all

block out quick inet6 all

################################################## ###############

# pass everything on loopback (lo0)

pass in quick on lo0 all

pass out quick on lo0 all

################################################## ###############

# Internet (ep0)

# prevent spoofing of non-routable addresses

block in log quick on $ExtIF from $NoGoIPs to any

block out quick on $ExtIF from any to $NoGoIPs

# stop all incoming packets

block in log on $ExtIF all

# VPN

pass in quick log on $ExtIF inet proto { tcp, udp } from any to any port
1723 keep state

pass out quick log on $ExtIF inet proto { tcp, udp } from any to any port
1723 keep state

pass in quick log on $PrvIF inet proto { tcp, udp } from any to 192.168.x.x
port 1723 keep state

pass out quick log on $PrvIF inet proto { tcp, udp } from any to any port
1723 keep state

pass in log on $ExtIF proto gre from any to any keep state

pass out log on $ExtIF proto gre from any to any keep state

pass in log on $PrvIF proto gre from any to 192.168.x.x keep state

pass out log on $PrvIF proto gre from any to any keep state

(xl0 is the internal interface)

tcpdump -i xl0 port 1723

15:04:31.750342 01-062.082.popsite.net.3017 > 192.168.x.x.pptp: S

2746972636:2746972636(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)

15:04:31.750655 192.168.x.x.pptp > 01-062.082.popsite.net.3017: S

1354973239:1354973239(0) ack 2746972637 win 65535 <mss 1460,nop,nop,sackOK>
(DF)

15:04:31.941055 01-062.082.popsite.net.3017 > 192.168.x.x.pptp: P

1:157(156) ack 1 win 8760 (DF)

15:04:31.941392 192.168.x.x.pptp > 01-062.082.popsite.net.3017: P

1:157(156) ack 157 win 65379 (DF)

15:04:32.167309 01-062.082.popsite.net.3017 > 192.168.x.x.pptp: P

157:325(168) ack 157 win 8604 (DF)

15:04:32.236186 192.168.x.x.pptp > 01-062.082.popsite.net.3017: P

157:189(32) ack 325 win 65211 (DF)

15:04:32.440838 01-062.082.popsite.net.3017 > 192.168.x.x.pptp: P

325:349(24) ack 189 win 8572 (DF)

15:04:32.562714 192.168.x.x.pptp > 01-062.082.popsite.net.3017: . ack 349
win 65187 (DF)

15:05:08.838491 01-062.082.popsite.net.3017 > 192.168.x.x.pptp: P

349:365(16) ack 189 win 8572 (DF)

15:05:08.838810 192.168.x.x.pptp > 01-062.082.popsite.net.3017: P

189:337(148) ack 365 win 65171 (DF)

15:05:09.036090 01-062.082.popsite.net.3017 > 192.168.x.x.pptp: P

365:381(16) ack 337 win 8424 (DF)

15:05:09.036365 192.168.x.x.pptp > 01-062.082.popsite.net.3017: P

337:353(16) ack 381 win 65155 (DF)

15:05:09.217582 01-062.082.popsite.net.3017 > 192.168.x.x.pptp: F

381:381(0) ack 353 win 8408 (DF)

15:05:09.217835 192.168.x.x.pptp > 01-062.082.popsite.net.3017: F

353:353(0) ack 382 win 65155 (DF)

15:05:09.711686 01-062.082.popsite.net.3017 > 192.168.x.x.pptp: . ack 354
win 8408 (DF)

tcpdump -n -e -ttt -i pflog0

Oct 22 15:04:31.750242 rule 52/0(match): pass in on ep0: 64.24.161.62.3017 >
192.168.x.x.1723: S 2746972636:2746972636(0) win 8760 <mss
1460,nop,nop,sackOK> (DF)

Oct 22 15:04:31.750311 rule 58/0(match): pass out on xl0: 64.24.161.62.3017
> 192.168.x.x.1723: S 2746972636:2746972636(0) win 8760 <mss
1460,nop,nop,sackOK> (DF)

Oct 22 15:04:32.477322 rule 60/0(match): pass in on ep0: call 33767 seq 0
gre-ppp-payload (gre encap)

Oct 22 15:04:33.788309 rule 60/0(match): pass in on ep0: call 33767 seq 1
gre-ppp-payload (gre encap)

Oct 22 15:04:33.788326 rule 60/5(memory): pass in on ep0: call 33767 seq 1
gre-ppp-payload (gre encap)

Oct 22 15:04:36.795307 rule 60/0(match): pass in on ep0: call 33767 seq 2
gre-ppp-payload (gre encap)

Oct 22 15:04:36.795322 rule 60/5(memory): pass in on ep0: call 33767 seq 2
gre-ppp-payload (gre encap)

Oct 22 15:04:40.795668 rule 60/0(match): pass in on ep0: call 33767 seq 3
gre-ppp-payload (gre encap)

Oct 22 15:04:40.795683 rule 60/5(memory): pass in on ep0: call 33767 seq 3
gre-ppp-payload (gre encap)

Oct 22 15:04:44.800797 rule 60/0(match): pass in on ep0: call 33767 seq 4
gre-ppp-payload (gre encap)

Oct 22 15:04:44.800815 rule 60/5(memory): pass in on ep0: call 33767 seq 4
gre-ppp-payload (gre encap)

Oct 22 15:04:48.833283 rule 60/0(match): pass in on ep0: call 33767 seq 5
gre-ppp-payload (gre encap)

Oct 22 15:04:48.833301 rule 60/5(memory): pass in on ep0: call 33767 seq 5
gre-ppp-payload (gre encap)

Oct 22 15:04:52.876139 rule 60/0(match): pass in on ep0: call 33767 seq 6
gre-ppp-payload (gre encap)

Oct 22 15:04:52.876155 rule 60/5(memory): pass in on ep0: call 33767 seq 6
gre-ppp-payload (gre encap)

Oct 22 15:04:56.900652 rule 60/0(match): pass in on ep0: call 33767 seq 7
gre-ppp-payload (gre encap)

Oct 22 15:04:56.900668 rule 60/5(memory): pass in on ep0: call 33767 seq 7
gre-ppp-payload (gre encap)

Oct 22 15:05:00.923469 rule 60/0(match): pass in on ep0: call 33767 seq 8
gre-ppp-payload (gre encap)

Oct 22 15:05:00.923483 rule 60/5(memory): pass in on ep0: call 33767 seq 8
gre-ppp-payload (gre encap)

Oct 22 15:05:04.855125 rule 60/0(match): pass in on ep0: call 33767 seq 9
gre-ppp-payload (gre encap)

Oct 22 15:05:04.855141 rule 60/5(memory): pass in on ep0: call 33767 seq 9
gre-ppp-payload (gre encap)

Thanks,

Will

#2 (**permalink**) 02-16-2008, 04:49 AM

Will wrote:

DO NOT MULTIPOST!!!

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

#3 (**permalink**) 02-16-2008, 04:49 AM

On Thu, 23 Oct 2003 08:53:21 -0500, "Will"
<monodactylusRemove@no.spam.for.netzero.u.net> reported to us:

>Hello,
>
>
>
> I'm having some trouble getting a WinXP client to connect to a win2k
>vpn server, passing through an OBSD 3.3 box, using pptp. I've attached the
>parts of the pf.conf pertaining to the pass through. Along w/ some info
>from tcpdump. In addition, on the XP client, I am getting a host not
>responding error after it sits for awhile trying to verify the username and
>password. On the 2k server using MS network monitor, and filtering for pptp,
>udp, gre packets I am not seeing anything coming from the internal
>interface. Can anyone please point out what I've done wrong?
>

<Snip>

>
>Thanks,
>
>Will
>

First of all, does the pptp server work? Can you establish a
connection from a win client that is also in the 192.168.x.x network?

Boil down your rules... leave the options out until you have it
working, and then build them back up again. Here are some rules for
one of my machines running the same scenario...

rdr on $Ext proto udp from any to $ExtIPa port pptp -> $Brutus_Int
port pptp # pptp
rdr on $Ext proto tcp from any to $ExtIPa port pptp -> $Brutus_Int
port pptp # pptp
rdr on $Ext proto gre from any to $ExtIPa -> $Brutus_Int # gre for
pptp

pass in quick on $Ext proto udp from any to any port pptp keep state
pass in quick on $Ext proto gre from any to any keep state

Those are for 3.4, the syntax has changed from 3.3 for the rdr rule
regarding gre. Use the same port declaration that you are currently
using.

HTH,

Wally

"No one has ever had an idea in a dress suit."
Sir Frederick G. Banting

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode