Topic: New VPN problems on 5.5 & 5.6 ?

[Brascoe]

Hi there,

I'm having problems with the VPN connection?

It's not working anymore? It has been working great (SME 5.6 after update 4) But suddenly it doesn't?

I have the same problem on SME 5.5u6 and SME 5.6u4 - I'm running Windows XP Pro with SP1 and all the updates installed - Others with same experience?

Cheers

Brascoe

[guestHH]

Yep, same here. But then again it never worked with 5.6U4.

What are the errors you get now ?

[Gary Owen]

XP SP1 with all the updates installed rings alarm bells - I'd advise uninstalling any updates you have had since the VPN worked correctly. Check here for some interesting reading om MS XP patches http://www.theregister.co.uk/content/55/30905.html

[Brascoe]

Gary Owen wrote:
>
> XP SP1 with all the updates installed rings alarm bells - I'd
> advise uninstalling any updates you have had since the VPN
> worked correctly. Check here for some interesting reading om
> MS XP patches
> http://www.theregister.co.uk/content/55/30905.html

I think it could be Microsoft Security Bulletin MS03-013 because, I have one XP machine without this patch (the latest) and there is no problemo with VPN connections?

I Didn't updated that machine (a Laptop for presentations) yet, and now I'm going to disable autoupdate, and send a bill to Bill

Cheers

Brascoe

[Micael]

Intresting....

Micael

[Zenon]

Any more information ? With a 5.6U4 I am able to create the  VPN (quite stable), but impossible to make a Terminal service connection through it ( on a WinXP or a TS 2000 server).

[guestHH]

Zenon,

If you mae a VPN can you access the server-manager through it?

[Gary Owen]

I understand that TS over VPN worked on 5.5 but not 5.6? I use these at the moment but tunnel through a windows machine - which I'm getting rid of.

Do you have port 3389 opened on the firewall? TS uses this.

[Brascoe]

guestHH wrote:
>
> Zenon,
>
> If you mae a VPN can you access the server-manager through it?

I can make access to server-manager through the VPN on 5.5u6 - haven't testet on sme 5.6u4

/ Brascoe

[ryan]

Brascoe,

I have XP pro with all the hotfixes as well.  I have had serious problems with PPTP ever since 5.6 U4  (at U3, the blank 10masq_pptp fix worked great).  

I have 5.6 at home and work.  Today I hooked my laptop up to the cable modem on the internet and had the same issues with PPTP.  This leads me to believe the PPTP problem with U4 is the incoming side.  My problems include error 619, and a lack of traffic going across the link.  Once a link is made, it stays connected until I disconnect it.  Usually, a fresh vpn connection lasts for 10-20 seconds before all incoming packets to my laptop stop.  

An idea....Could I reload SME, restore from backup, then dump the pptpd rpm in U4?  I would then apply the fix that was posted before U4.  Anyone think this will work?

I am also thinking of moving all PPTP accounts to a server only 5.6u4 box.  I will have IPCop forward all vpn calls to the internal LAN.  This will allow 5.6 to do PPTP without having to masquerade.   This sound like a waste time???

I am about to spend hours downgrading serveral servers to 5.5 if I can't get this fixed...people are bitching up a storm about PPTP problems.

ryan

[Martin Trigg]

Brascoe and Ryan,

I suspect I may be experiencing a similar problem. I find that my Win XP laptop fails on first attempt to VPN through a V5.6u4 SME. If I wait 10 minutes and retry it works. Using another Win XP machine (with out all the latest updates) appears to work everytime.

The 10 minute time appears to be related to the masquerading code as highlighted by Charlie Brady in his post:
http://forums.contribs.org/index.php?topic=17207.msg66872#msg66872

I would be interested to hear if your failing XP machines actually work if you wait 10 minutes between attempts. Run iptstate as per Charlie B and wait until GRE times out then retry.

Martin

[Micael]

Martin,

Can you open the server-manager (local) when using PPTP?

Micael

[Martin Trigg]

Micael,

No problems opening server manager on the remote or local machine when using VPN once the connection is successfully established. I specifically point the browser to IP of remote box 192.168.1.1/server-manager.

Martin

[guestHH]

So we have 2 types/symptoms of difficulties;

1. Establishing a VPN at all, once it's there it's stable.
2. Establishing a stable VPN, it's always there but not stable.

Right?

[ryan]

Hsing,

That perfectly explains my vpn problems since the wonderful U4 was applied.

Questions for anyone that cares to answer:

1.  How serious is the PPTP security issue that U4 fixes?  Can anyone exploit the server, or just pptp users that are using vpn?

2.  How is Mitel handling this issue with the commercial version of SME?  Can we purchase a downloadable fix?


I am in the process of moving vpn to a non critical SME box that will run at U3.  This box only handles my webmail, so if it gets attacked, so be it.....I have to get pptp fixed ASAP....even if it takes dumping SME for ISA server.  Slower performance is better than no performance!

ryan