PPTP and GRE Protocol passthrough (NOT SOLVED)

v6

(DuNdi) #1

NethServer Version: your_version
Module: your_module

Versione sistema
NethServer release 6.10 (Final)
Versione kernel
2.6.32-754.9.1.el6.x86_64

Hi team, in our company we have a box netserver, see pic:

I want to configure winzoz pptp passthrough for protocol GRE.

I have tested from a client after connection the error is:
“LCP: timeout sendig Config-Requests”

How can i setup GRE protocol passthrough ?

I have read some post but anyone explain to setup this protocol winzoz.

PLS help me!

Thanks in advance,
regard,

DundiDu


Devel docs V6 missing
(HF) #2

Not really an answer but more a hint, you do know that PPTP is to be considered unsecure and other VPN solutions should be considered?


(DuNdi) #3

Hi LayLow, thanks for yuor answerd, pptp is a temporary solutions for server test.
Anyone help me for GRE protocol?
Thanks in advance,

Regards,
SGOLASTRA


(HF) #4

Try forwarding port 1723 UDP


(DuNdi) #5

Hi LayLow, thanks a lot for your answered, i have just setup ffwd port in this mode:

Protocol ORIGIN PORT HOST DEST PORT DEST

TCP,UDP 1723 server01 1723 host role_ffwd_pptp

Anyone another suggest?

Thanks in advance,

Sgolastra


(HF) #6

For testing, forward UDP and TCP ports 1723 and 47


(Filippo Carletti) #7

Rough untested idea: add something like the following to /etc/shorewall/started:

iptables -t nat -A PREROUTING -i eth0 -p gre -j DNAT --to-destination 192.168.0.1

(Markus Neuberger) #8

Here are some infos about shorewall and PPTP:

http://shorewall.org/PPTP.htm#ServerBehind


(DuNdi) #9

Hi @filippo_carletti, thanks for your reply, this command is only for eth0, right?

Nethserver have this config:
green: eth0 ip 192.168.0.1
red: eth1 ip 127.0.0.1

the commands FOR GREEN is:

iptables -t nat -A PREROUTING -i eth0 -p gre -j DNAT --to-destination 192.168.0.1

the commands FOR RED is:

iptables -t nat -A PREROUTING -i eth1 -p gre -j DNAT --to-destination 127.0.0.1

something is missing, for example, the inverse command, du u understand?

Regards,
Sgolastra.

(DuNdi) #10

Hi @LayLow thank you for your reply, in the past have tried configuration suggested by you, but it does not work like that, however, thanks for your help, thank very much.

Sgolastra


(DuNdi) #11

Hi @mrmarkuz, thank you for reply ;-), i have read and test with a ref. of page by the PPTP Server Running Behind your Firewall.

My net area is an example:
green eth0 as ip andress 192.1.1.1 with alias ip 192.3.3.1
red eth1 192.0.0.1
winzoz pptp server test is: 192.3.3.100
external ip: 127.0.0.1

I have setup in this mode:
/etc/shorewall/rules:

######################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH

PORT PORT(S) DEST LIMIT GROUP

#SECTION ALL

SECTION ESTABLISHED

?SECTION ESTABLISHED
DNAT net loc:192.3.3.100 tcp 1723 - 127.0.0.1
DNAT net loc:192.3.3.100 47 - - 127.0.0.1

SECTION RELATED

?SECTION RELATED

SECTION NEW

?SECTION NEW

when i restart service shorewall the error is:

Starting shorewall: ERROR: NAT rules are only allowed in the NEW section /etc/shorewall/rules (line 29)
[FAILED]
:frowning: can u help me please?

Thanks in advance,

Sgolastra.


(DuNdi) #12

Opss :slight_smile: when i post i celebrate the error and now understand , now i test :wink:


(DuNdi) #13

Hi @mrmarkuz i just tested in this mode…

Scenario:
green eth0 as ip andress 192.1.1.1 with alias ip 192.3.3.1
red eth1 192.0.0.1
winzoz pptp server test is: 192.3.3.100
external ip: 127.0.0.1

/etc/shorewall/rules :
#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT net loc:192.3.3.100 tcp 1723
DNAT net loc:192.3.3.100 47

in – etc/shorewall/masq:
#INTERFACE SUBNET ADDRESS PROTO
eth0 192.3.3.0/24 192.0.0.1 47

the service restart correctly, but when i try to connect by pptp vpn client, the error is:

2019-01-15 15:20:50 Using interface ppp0
2019-01-15 15:20:50 Connect: ppp0 <–> socket[34:17]
2019-01-15 15:20:54 PPTP port-mapping for en1, interfaceIndex: 0, Protocol: None, Private Port: 0, Public Address: 0, Public Port: 0, TTL: 0.
2019-01-15 15:20:54 PPTP port-mapping for en1 inconsistent. is Connected: 1, Previous interface: 4, Current interface 0
**19-01-15 15:21:22 LCP: timeout sending Config-Requests
2019-01-15 15:21:22 Connection terminated.
2019-01-15 15:21:22 PPTP disconnecting…
2019-01-15 15:21:22 PPTP clearing port-mapping for en1
2019-01-15 15:21:22 PPTP disconnected

where I wrong?

Thanks,
Regard,

Daniele


(Markus Neuberger) #14

Is there a typo, you commented out the eth0 line?

Could it be that you need a static route on your nethserver for network 192.3.3.0 to your internal pptp server address?

Did you mask the addresses to keep them secret? External IP is 127.0.0.1?


(DuNdi) #15

Is a typo

i have mask the andress :+1:

Thanks for your support @mrmarkuz :wink:

regards,

Sgolastra


(Markus Neuberger) #16

Does it work now?

You may need custom templates to make the changes to shorewall config permanent.


(DuNdi) #17

Hi @mrmarkuz no the error is the same in my previous post:
the service restart correctly, but when i try to connect by pptp vpn client, the error is:

2019-01-15 15:20:50 Using interface ppp0
2019-01-15 15:20:50 Connect: ppp0 <–> socket[34:17]
2019-01-15 15:20:54 PPTP port-mapping for en1, interfaceIndex: 0, Protocol: None, Private Port: 0, Public Address: 0, Public Port: 0, TTL: 0.
2019-01-15 15:20:54 PPTP port-mapping for en1 inconsistent. is Connected: 1, Previous interface: 4, Current interface 0
**19-01-15 15:21:22 LCP: timeout sending Config-Requests
2019-01-15 15:21:22 Connection terminated.
2019-01-15 15:21:22 PPTP disconnecting…
2019-01-15 15:21:22 PPTP clearing port-mapping for en1
2019-01-15 15:21:22 PPTP disconnected

:face_with_raised_eyebrow:

Thanks,
regards,
SGOLASTRA


(Markus Neuberger) #18

Here are some informations for diagnosing the problem, it seems GRE is not handled correctly:

http://pptpclient.sourceforge.net/howto-diagnosis.phtml#lcp_timeout


(HF) #19

FYI http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html


(Michael Kicks) #20

L2TP or OpenVPN could not be used as alternatives for Windows?