Topic: VPN problem

[edform]

If so could this actual kernel module be buggy?

If that's a possibility, you should be reporting via the bug tracker. However, before you post, be aware that the VPN server in SME is only capable of receiving a single inbound connection from any particular remote IP address. That is, you can't have two clients behind the same NAT router trying to connect at the same time. The connections may succeed, but the encypted streams will interfere with each other, and neither will work.

The two machines that need to connect are individually attached to their own ADSL connections with separate remote addresses.

I have actually cured the problem, but still have no idea what was going on. I needed to bring this particular server into a condition in which it can be changed over to SME 7 when the time comes, and the PERCII SCSI RAID controller would not allow this, so I fitted a Compaq controller and reloaded 6.0.1 from scratch. It now handles multiple VPNs without so much as a murmur.

Ed Form

[RoyS]

How is the SME server connected to the internet? As you have 2 NICs in the machine, I assume it's by an ADSL router of some kind - you need to open ports 500/UDP and 1723/TCP or the VPN cannot talk.

Hi Ed,
At the risk of sounfing stupid, how do i open these ports?
Thanks
Roy

[edform]

How is the SME server connected to the internet? As you have 2 NICs in the machine, I assume it's by an ADSL router of some kind - you need to open ports 500/UDP and 1723/TCP or the VPN cannot talk.

Hi Ed,
At the risk of sounfing stupid, how do i open these ports?
Thanks
Roy

I don't know how it's done in your particular ADSL router, but mine has a configuration section called 'Virtual Server' where I enter the port number I want to open - or forward, strictly speaking. I enter 500 for the public port, 500 for the private port, put a tick in UDP, and give the IP address of the outward facing NIC as the address to forward the port to.

Ed Form

[RoyS]

Hi Ed,

I am using NTL cable modem, and don't have any access to settings. Checked on NTL website and they don't block any ports.
The NTL modem is connected direct to SME box via UTP.

[edform]

I am using NTL cable modem, and don't have any access to settings. Checked on NTL website and they don't block any ports.
The NTL modem is connected direct to SME box via UTP.

I think you have an insoluble problem here. I got rid of the only NTL cable system I've been exposed to, and installed a normal ADSL line for one of my clients, specifically to get round this problem.

The other item that is a problem with an NTL system is that you don't have a fixed IP address, and they won't give you one - I've never tried to use VPN to a Dynamic address system, so I can't really advise you.

Ed Form

[RoyS]

Thanks ED,
I too am suspect of NTL, but a friend of mine aslo has a similar setup with NTL-SME-LAN and his setup works. I am going to try change DNS providers.
Regards
Roy

[CharlieBrady]

 you need to open ports 500/UDP and 1723/TCP or the VPN cannot talk.

That's incorrect. port 500 UDP is not used for PPTP (it's used for key negotiation for IPSEC VPNs). For PPTP VPN to work, there needs to be a port 1723 TCP connection from client to server, and protocol 50 (GRE) needs to be able to pass between client and server. In some cases GRE can pass through a NAT firewall without special rules because outbound traffic creates a connection which will allow return traffic to pass. In other cases, a specific forwarding rule is needed. Not all NAT firewalls will allow you to forward arbitrary protocols (only offering TCP and UDP).

[edform]

That's incorrect. port 500 UDP is not used for PPTP (it's used for key negotiation for IPSEC VPNs). For PPTP VPN to work, there needs to be a port 1723 TCP connection from client to server, and protocol 50 (GRE) needs to be able to pass between client and server. In some cases GRE can pass through a NAT firewall without special rules because outbound traffic creates a connection which will allow return traffic to pass. In other cases, a specific forwarding rule is needed. Not all NAT firewalls will allow you to forward arbitrary protocols (only offering TCP and UDP).

Thanks for that Charlie, You'd be amazed how much incorrect [and confusing!!!!!!] information there is on the web about ports needed for the various services. Getting the real skinny from an authority is a bonus.

Ed Form

[RoyS]

 you need to open ports 500/UDP and 1723/TCP or the VPN cannot talk.

That's incorrect. port 500 UDP is not used for PPTP (it's used for key negotiation for IPSEC VPNs). For PPTP VPN to work, there needs to be a port 1723 TCP connection from client to server, and protocol 50 (GRE) needs to be able to pass between client and server. In some cases GRE can pass through a NAT firewall without special rules because outbound traffic creates a connection which will allow return traffic to pass. In other cases, a specific forwarding rule is needed. Not all NAT firewalls will allow you to forward arbitrary protocols (only offering TCP and UDP).

Well Charlie, maybe you can review the last few messages between Ed and I and hopefully give me some advice that will help cure my VPN problem, as I am at a complete loss.

[CharlieBrady]

Thanks for that Charlie, You'd be amazed how much incorrect [and confusing!!!!!!] information there is on the web about ports needed for the various services. Getting the real skinny from an authority is a bonus.

I'm only an authority on my intentions in code I've written and other opinions I hold. Anything else I post is just based on research. I usually make efforts to verify before posting advice here.

PPTP is defined here http://www.faqs.org/rfcs/rfc2637.html. Unfortunately it's rather poorly written, and isn't as clear as it should be. Case in point: it requires call ids to be unique to a particular tunnel, but it doesn't define what constitutes a tunnel.