DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th September 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default GRE throught OpenBSD 4.5 to 2K3 PPTP vpn

Greeings all, it seems that some completely simple things to do are not that simple. I am attempting to get a PPTP VPN connection from a 2003 server outside my OpenBSD firewall.

The connection to the 2003 server works great and is setup and running fine, my only problem is when i try to access it through my OpenBSD firewall it stalls on "Verifying username and password ......"

I followed the instructions below;

Connecting to a Windows PPTP based VPN through a OpenBSD / PF firewall
To be able to connect to a Windows based PPTP VPN through a OpenBSD firewall you’ll need to make a couple of changes to allow GRE traffic through.
first add the following to /etc/sysctl.conf:
net.inet.gre.allow=1
net.inet.gre.wccp=1
net.inet.mobileip.allow=1

then add the following to the filter section in your /etc/pf.conf:
pass in on $ext_if proto gre all keep state
pass out on $ext_if proto gre all keep state

To make the changes effective without having to reboot issue the following as root:

sysctl net.inet.gre.allow=1
sysctl net.inet.gre.wccp=1
sysctl net.inet.mobileip.allow=1
pfctl -f /etc/pf.conf

I also added to my firewall rules;
rdr pass on $EXT proto {tcp,udp} to any port {47,1723} -> in.ternal.ip.addr

Lo and behold it does not work, all i get is the "Verifying username and ...." and there is correct everything in place, it is working fine behind my 2003 box, just won't get past my OpenBSD firewall

I have tried this same setup and more in VM's (with/out patches) and on my production firewall, I have also tried tcp and udp ... the rdr to port 1723 helped, i have also tried udp ports 50? 51? and 500? as per some reading.


ADDED; one of the erros logs from the 2003 server ...

Event Type: Warning
Event Source: Rasman
Event Category: None
Event ID: 20209
Date: 9/10/2009
Time: 05:01:00
User: N/A
Computer: pcname
Description:
A connection between the VPN server and the VPN client 1.1.1.5 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

Somehow I am still blocking GRE packets/traffic with the above configurations, Suggestions? thx.

Last edited by There0; 10th September 2009 at 11:32 AM. Reason: Added Windoz error logs :)
Reply With Quote
  #2   (View Single Post)  
Old 10th September 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

In comment to above, i was originally trying to pipe all this junk over an SSH tunnel directly into my network (weaksauce 56bit on MS VPN) and got stuck at the passing through the OpenBSD firewall, coincidentally i am experiencing the exact same problem with piping it over SSH (via Putty tunnel).

I anybody has something similar running I would appreciate some comments, and access to a VM may be possible to hack upon, thx.

Last edited by There0; 10th September 2009 at 12:23 PM.
Reply With Quote
  #3   (View Single Post)  
Old 10th September 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Update;

I have also tried enableing the ah and esp options in sysctl with no luck, also interesting is that from behind the OpenBSD firewall as a XPPro client i can connect past it to the 2003 server (inside same network, from a virtual subnet) and i see GRE packets all over (so OpenBSD is sending GRE out fine? by keeping state?)

P.S. I did notice a couple of typo's but it is 6am


Umm I just noticed it's past 7 ...
Reply With Quote
  #4   (View Single Post)  
Old 10th September 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

"Port 47" is not the same as "Protocol 47". See /etc/protocols for a list of all of the strange, weird, odd, and haven't-been-used-in-decades-by-anyone IP protocols. You are already familiar with TCP (protocol 6) and UDP (protocol 17), which are the only two protocols that use ports.

Your need a pass rule for "proto gre" rather than a redirection rule for port 47.

However, AFAIK since no port is involved no redirection rule will apply. I suppose you might route the packets, instead, with route-to.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PPTP Server, no internet connectivity (routing between interfaces?) godfrank FreeBSD Ports and Packages 5 15th April 2009 04:44 PM
Problem with pptp gull OpenBSD General 2 21st January 2009 04:06 PM


All times are GMT. The time now is 12:44 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick