Topic: New VPN problems on 5.5 & 5.6 ?

[Brascoe]

Hi there,

I'm having problems with the VPN connection?

It's not working anymore? It has been working great (SME 5.6 after update 4) But suddenly it doesn't?

I have the same problem on SME 5.5u6 and SME 5.6u4 - I'm running Windows XP Pro with SP1 and all the updates installed - Others with same experience?

Cheers

Brascoe

[guestHH]

Yep, same here. But then again it never worked with 5.6U4.

What are the errors you get now ?

[Gary Owen]

XP SP1 with all the updates installed rings alarm bells - I'd advise uninstalling any updates you have had since the VPN worked correctly. Check here for some interesting reading om MS XP patches http://www.theregister.co.uk/content/55/30905.html

[Brascoe]

Gary Owen wrote:
>
> XP SP1 with all the updates installed rings alarm bells - I'd
> advise uninstalling any updates you have had since the VPN
> worked correctly. Check here for some interesting reading om
> MS XP patches
> http://www.theregister.co.uk/content/55/30905.html

I think it could be Microsoft Security Bulletin MS03-013 because, I have one XP machine without this patch (the latest) and there is no problemo with VPN connections?

I Didn't updated that machine (a Laptop for presentations) yet, and now I'm going to disable autoupdate, and send a bill to Bill

Cheers

Brascoe

[Micael]

Intresting....

Micael

[Zenon]

Any more information ? With a 5.6U4 I am able to create the  VPN (quite stable), but impossible to make a Terminal service connection through it ( on a WinXP or a TS 2000 server).

[guestHH]

Zenon,

If you mae a VPN can you access the server-manager through it?

[Gary Owen]

I understand that TS over VPN worked on 5.5 but not 5.6? I use these at the moment but tunnel through a windows machine - which I'm getting rid of.

Do you have port 3389 opened on the firewall? TS uses this.

[Brascoe]

guestHH wrote:
>
> Zenon,
>
> If you mae a VPN can you access the server-manager through it?

I can make access to server-manager through the VPN on 5.5u6 - haven't testet on sme 5.6u4

/ Brascoe

[ryan]

Brascoe,

I have XP pro with all the hotfixes as well.  I have had serious problems with PPTP ever since 5.6 U4  (at U3, the blank 10masq_pptp fix worked great).  

I have 5.6 at home and work.  Today I hooked my laptop up to the cable modem on the internet and had the same issues with PPTP.  This leads me to believe the PPTP problem with U4 is the incoming side.  My problems include error 619, and a lack of traffic going across the link.  Once a link is made, it stays connected until I disconnect it.  Usually, a fresh vpn connection lasts for 10-20 seconds before all incoming packets to my laptop stop.  

An idea....Could I reload SME, restore from backup, then dump the pptpd rpm in U4?  I would then apply the fix that was posted before U4.  Anyone think this will work?

I am also thinking of moving all PPTP accounts to a server only 5.6u4 box.  I will have IPCop forward all vpn calls to the internal LAN.  This will allow 5.6 to do PPTP without having to masquerade.   This sound like a waste time???

I am about to spend hours downgrading serveral servers to 5.5 if I can't get this fixed...people are bitching up a storm about PPTP problems.

ryan

[Martin Trigg]

Brascoe and Ryan,

I suspect I may be experiencing a similar problem. I find that my Win XP laptop fails on first attempt to VPN through a V5.6u4 SME. If I wait 10 minutes and retry it works. Using another Win XP machine (with out all the latest updates) appears to work everytime.

The 10 minute time appears to be related to the masquerading code as highlighted by Charlie Brady in his post:
http://forums.contribs.org/index.php?topic=17207.msg66872#msg66872

I would be interested to hear if your failing XP machines actually work if you wait 10 minutes between attempts. Run iptstate as per Charlie B and wait until GRE times out then retry.

Martin

[Micael]

Martin,

Can you open the server-manager (local) when using PPTP?

Micael

[Martin Trigg]

Micael,

No problems opening server manager on the remote or local machine when using VPN once the connection is successfully established. I specifically point the browser to IP of remote box 192.168.1.1/server-manager.

Martin

[guestHH]

So we have 2 types/symptoms of difficulties;

1. Establishing a VPN at all, once it's there it's stable.
2. Establishing a stable VPN, it's always there but not stable.

Right?

[ryan]

Hsing,

That perfectly explains my vpn problems since the wonderful U4 was applied.

Questions for anyone that cares to answer:

1.  How serious is the PPTP security issue that U4 fixes?  Can anyone exploit the server, or just pptp users that are using vpn?

2.  How is Mitel handling this issue with the commercial version of SME?  Can we purchase a downloadable fix?


I am in the process of moving vpn to a non critical SME box that will run at U3.  This box only handles my webmail, so if it gets attacked, so be it.....I have to get pptp fixed ASAP....even if it takes dumping SME for ISA server.  Slower performance is better than no performance!

ryan

[Brascoe]

ryan wrote:
>
> 2.  How is Mitel handling this issue with the commercial
> version of SME?  Can we purchase a downloadable fix?
>
I think it's a no go, if you aren't situated in Mitel's backyard. I've tried to become a customer for almost a year in my company - with no success at all. I'd filled out their form on the webpage twice, and has contacted their UK office on mail and telephone, but it's impossible to have prices for their Mitel Networks 6000 Managed Application Server - I ended up purchasing a Dell PowerEdge server and put on the SME 5.6u4 - sad as I would like to support the beautiful work the have done for all us with a home network.

Any how, after removing the last Windows XP update, my VPN connections work perfect.

Don't know why, but it works.

./Brascoe
P.s. I'm living in Denmark - far away from a Mitel sales outlet. (I asked in 7-Eleven, didn't work)

[ryan]

Brascoe,

Thanks for the reply.  Could you reference the Q number for the hotfix you removed from XP?

Thanks,

RS

[Brascoe]

ryan wrote:
>
> Brascoe,
>
> Thanks for the reply.  Could you reference the Q number for
> the hotfix you removed from XP?

Hi Ryan,

I Removed 818529 & 811493 And it still works.

Cheers.

Brascoe

[Dan York]

Brascoe,

> I've tried to become a customer for almost a year in my company - with
> no success at all. I'd filled out their form on the webpage twice, and has
> contacted their UK office on mail and telephone,

I'm sorry that no one contacted you.  When this was brought to my attention last week I forwarded the matter to our staff in our EMEA office who in turn did contact the person responsible for sales in Denmark. I've seen a reply from her this morning, so you should be contacted soon.

> sad as I would like to support the beautiful work the have done for all us with
> a home network

And we would love that support.  

Dan

[Martin Trigg]

After seeing Brascoe's post regarding removing MS updates 818529 & 811493, I decided to do some testing.

Firstly I found that my laptop, which has problems connecting via VPN the first time, did not have either patch installed.

So I proceeded to install all outstanding critical updates via Windows Update page. The following updates were applied:

818259, June 2003, IE6 SP1 Cumulative Patch
Q811114, Security Update Win XP
811493, Security Update Win XP
Q815021, Security Update Win XP
817787, Security Update Win Media Player Win XP

I then carried out some tests establishing VPN connections to a remote SME server and on every occassion the connection established first time. Prior to applying all of the above patches, I could not connect on the first attempt and I had to wait 10 minutes for SME to time out before getting a successful connection on the second attempt.

Now it was time to break it and see which particular patch fixed it. I found that if I removed patch 811493 the problem returned. I reinstalled 811493 and the problem disappeared.

Upon searching the Microsoft Knowledge base I found that MS released an updated patch for article 811493 on May 28, 2003. I suspect this is why Brascoe's version is still broken and the latest version I installed today actually fixes my problem.
See http://support.microsoft.com/default.aspx?scid=kb;EN-US;811493

In my case at least, it appears the VPN issues of V5.6 have been a combination of SME and MS, Mitel fixed their part with Update 4 and MS with 811493 May 28 release. This may explain the differing results people have been having with V5.6.

I hope the above info is of use to people and would be interested to hear feedback from others.

Martin

[ryan]

Martin,

Thank you for posting your findings.  Thanks for taking the time to figure that out.  I am no longer using auto update....I will use windowsupdate every so often and not install anything released within a couple of days.  

Q811493 reinstall has fixed my vpn issues.  It is like having 5.1.2 again!  FAST!  Thanks again for posting.

ryan

[guestHH]

Thanks for the pointers Martin. Unfortuantely it didn't help me.

Regards,
guestHH

[Micael]

I installed the updated Q811493 but the problem remain.
I removed Q811493 and this didn't help either.

Regards,

Micael

[Micael]

BTW
Has someone tried from a diffrent OS, like Redhat, etc?

Regards,

Micael

[George]

Micael wrote:
 
> BTW
> Has someone tried from a diffrent OS, like Redhat, etc?

RedHat doesn't have any PPTP support.

G

[Micael]

There is a client (not Redhat)
http://pptpclient.sourceforge.net/

Regards,

Micael

[Dan York]

Martin,

Many thanks for posting your information!

Dan

[Micael]

Today I did a test from an Win2000 prof SP3 and it worked perfectly. So it is something with XP that mess things up. I have tried to install and remove MS updates but nothing works.

I found this bug on Poptops developer site
http://sourceforge.net/tracker/index.php?func=detail&aid=676964&group_id=44827&atid=441003

regards,

Micael