View Single Post
  #1   (View Single Post)  
Old 10th September 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 170
Default GRE throught OpenBSD 4.5 to 2K3 PPTP vpn

Greeings all, it seems that some completely simple things to do are not that simple. I am attempting to get a PPTP VPN connection from a 2003 server outside my OpenBSD firewall.

The connection to the 2003 server works great and is setup and running fine, my only problem is when i try to access it through my OpenBSD firewall it stalls on "Verifying username and password ......"

I followed the instructions below;

Connecting to a Windows PPTP based VPN through a OpenBSD / PF firewall
To be able to connect to a Windows based PPTP VPN through a OpenBSD firewall you’ll need to make a couple of changes to allow GRE traffic through.
first add the following to /etc/sysctl.conf:
net.inet.gre.allow=1
net.inet.gre.wccp=1
net.inet.mobileip.allow=1

then add the following to the filter section in your /etc/pf.conf:
pass in on $ext_if proto gre all keep state
pass out on $ext_if proto gre all keep state

To make the changes effective without having to reboot issue the following as root:

sysctl net.inet.gre.allow=1
sysctl net.inet.gre.wccp=1
sysctl net.inet.mobileip.allow=1
pfctl -f /etc/pf.conf

I also added to my firewall rules;
rdr pass on $EXT proto {tcp,udp} to any port {47,1723} -> in.ternal.ip.addr

Lo and behold it does not work, all i get is the "Verifying username and ...." and there is correct everything in place, it is working fine behind my 2003 box, just won't get past my OpenBSD firewall

I have tried this same setup and more in VM's (with/out patches) and on my production firewall, I have also tried tcp and udp ... the rdr to port 1723 helped, i have also tried udp ports 50? 51? and 500? as per some reading.


ADDED; one of the erros logs from the 2003 server ...

Event Type: Warning
Event Source: Rasman
Event Category: None
Event ID: 20209
Date: 9/10/2009
Time: 05:01:00
User: N/A
Computer: pcname
Description:
A connection between the VPN server and the VPN client 1.1.1.5 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

Somehow I am still blocking GRE packets/traffic with the above configurations, Suggestions? thx.

Last edited by There0; 10th September 2009 at 11:32 AM. Reason: Added Windoz error logs :)
Reply With Quote