|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
GRE throught OpenBSD 4.5 to 2K3 PPTP vpn
Greeings all, it seems that some completely simple things to do are not that simple. I am attempting to get a PPTP VPN connection from a 2003 server outside my OpenBSD firewall.
The connection to the 2003 server works great and is setup and running fine, my only problem is when i try to access it through my OpenBSD firewall it stalls on "Verifying username and password ......" I followed the instructions below; Connecting to a Windows PPTP based VPN through a OpenBSD / PF firewall To be able to connect to a Windows based PPTP VPN through a OpenBSD firewall you’ll need to make a couple of changes to allow GRE traffic through. first add the following to /etc/sysctl.conf: net.inet.gre.allow=1 net.inet.gre.wccp=1 net.inet.mobileip.allow=1 then add the following to the filter section in your /etc/pf.conf: pass in on $ext_if proto gre all keep state pass out on $ext_if proto gre all keep state To make the changes effective without having to reboot issue the following as root: sysctl net.inet.gre.allow=1 sysctl net.inet.gre.wccp=1 sysctl net.inet.mobileip.allow=1 pfctl -f /etc/pf.conf I also added to my firewall rules; rdr pass on $EXT proto {tcp,udp} to any port {47,1723} -> in.ternal.ip.addr Lo and behold it does not work, all i get is the "Verifying username and ...." and there is correct everything in place, it is working fine behind my 2003 box, just won't get past my OpenBSD firewall I have tried this same setup and more in VM's (with/out patches) and on my production firewall, I have also tried tcp and udp ... the rdr to port 1723 helped, i have also tried udp ports 50? 51? and 500? as per some reading. ADDED; one of the erros logs from the 2003 server ... Event Type: Warning Event Source: Rasman Event Category: None Event ID: 20209 Date: 9/10/2009 Time: 05:01:00 User: N/A Computer: pcname Description: A connection between the VPN server and the VPN client 1.1.1.5 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets. Somehow I am still blocking GRE packets/traffic with the above configurations, Suggestions? thx. Last edited by There0; 10th September 2009 at 11:32 AM. Reason: Added Windoz error logs :) |
|
|||
In comment to above, i was originally trying to pipe all this junk over an SSH tunnel directly into my network (weaksauce 56bit on MS VPN) and got stuck at the passing through the OpenBSD firewall, coincidentally i am experiencing the exact same problem with piping it over SSH (via Putty tunnel).
I anybody has something similar running I would appreciate some comments, and access to a VM may be possible to hack upon, thx. Last edited by There0; 10th September 2009 at 12:23 PM. |
|
|||
Update;
I have also tried enableing the ah and esp options in sysctl with no luck, also interesting is that from behind the OpenBSD firewall as a XPPro client i can connect past it to the 2003 server (inside same network, from a virtual subnet) and i see GRE packets all over (so OpenBSD is sending GRE out fine? by keeping state?) P.S. I did notice a couple of typo's but it is 6am Umm I just noticed it's past 7 ... |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PPTP Server, no internet connectivity (routing between interfaces?) | godfrank | FreeBSD Ports and Packages | 5 | 15th April 2009 04:44 PM |
Problem with pptp | gull | OpenBSD General | 2 | 21st January 2009 04:06 PM |