Topic: [vpn/pptp] tried everything, still doesn't work

[Anonymous]

I know this problem hs come accross the forum  a 1000 times, but I was unable to track all information about it, since the searchengine does not allow searchqueries shorter than or equal to three characters. (VPN, GRE, 47 .....)  

After searching the internet for several days and long, very long nights about information concerning gre-47/pptp i decided to post a message.
this is my setup:

router=Mitel SME 6.0.1-01 fresh install. LAN: 192.168.1.1
WAN: 217.a.b.c

Client=WinXp Pro patched, no firewall.  192.168.1.9 (Static IP)

VPN server: A remote server. 130.x.y.z

so it looks like this:
[client] -> [e-smith router + e-smith firewall] -> [VPN Server]

I previously used E-Smith 5.5 as router + firewall and a pptp vpn worked like a charm, without configuring *anything* at all on the router.

After the server got hacked I decided to install an up to date E-smith version, formatting the previously 5.5 installation.

The problem is that GRE-47 won't get passed the e-smith firewall. I literally tried everything I've found on the internet and on this forum but still no luck. At the client site it hangs at the verfying username and password message, and eventually gives me a 619 error (the port could not be connected).

I used

Code: [Select]


tcpdump -n proto 47 or port 1723 -i eth0

to monitor protocol 47 and port 1723:

this is the output when I try to start a VPN session at the client side..:

Code: [Select]


<crap>
01:07:28.752357 192.168.1.9 > 130.x.y.z: gre-proto-0x880B (gre encap)
^-several times....
->Client gives a 619 error.
<crap>


what is going wrong? I forwarded port 1723 (TCP) and 47 (UDP) to the client IP.
While searching the internet I found commands like

Code: [Select]


#iptables -A INPUT -p 47 -j ACCEPT
#iptables -A OUTPUT -p 47 -j ACCEPT
#iptables -A INPUT -p TCP -s 0.0.0.0/0 --source-port 1723 -j ACCEPT
#iptables -A FORWARD -p 47 -m state --state NEW -i eth1 -j ACCEPT

Hwen I execute commands like above, do I have to restart iptables or something to make sure any changes take effect. I now a little bit of linux and I have enough knowledge of networks, but I simply do not know how to solve this problem. I think this problem can be solved with the correct iptables commands.

Any help would be gratefully appreciated since it's driving me crazy.

Thanks in advance,

Arjen

btw.
I also tried the ipfwd tool which was suggested in another post on this forum, but when I use
rpm -i <thing.rpm> It fails warning about a glibc.so.5 dependency.

Code: [Select]

[Anonymous]

ok, I found a sollution:

Code: [Select]


Use this command to monitor port 47:
tcpdump -n proto 47 or port 1723 -i eth0

*This line seems to be very important*
#iptables -A eth1-in --protocol 47 -i eth1 -j ACCEPT

#iptables -t nat -A PREROUTING -i eth1 --protocol 47 -j DNAT --to 192.168.1.9
#iptables -A FORWARD -p 47 -m state --state NEW -i eth1 -j ACCEPT
#iptables -A INPUT -p 47 -j ACCEPT
#iptables -A OUTPUT -p 47 -j ACCEPT
#iptables -A INPUT -p TCP -s 0.0.0.0/0 --source-port 1723 -j ACCEPT
#iptables -A OUTPUT -p TCP -d 0.0.0.0/0 --destination-port 1723 -j ACCEPT
#iptables -A FORWARD -p 47 -m state --state NEW -i eth1 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 1723 -m state --state NEW -i eth1 -j ACCEPT

Forward the following ports to the client pc using the webinterface server-manager
udp 500
udp 47
tcp 50
tcp 1723


Hope this helps someone.

greetings,

Arjen

btw. I've absolutely no idea what all the commands do exactly, it's just a mixup of information I found on several messageboards