Topic: Help: PPTP VPN from behind SME7rc2 to remote SME7rc2

[jester]

Hello,

I'm trying to establish a VPN (PPTP) from my Mac (OSX) through my SME7rc2 server to a remote SME7rc2 server, but can't seem to get it working.

Both servers are in Server-Gateway mode and the broadband modems are forwarding everything to these servers. I've tried to forward ports 1723(tcp) and 500(udp) to the ip adress of the remote server but this does not work.

I've been reading posts about forwading protocol 47, but that was for SME6 and before i start messing up my servers.... maybe someone got some good advice.


jester.

[JonB]

Jester,

The only port you need to forward for PPTP is 1723 TCP. Port 500 is for IPSEC/IKE.

Protocol 47 is the protocol GRE. If your Broadband router does not support PPTP VPN passthrough then you will never be able to set up a PPTP VPN.

I have come across ADSL routers that claim to be VPN passthrough capable but only allow IPSEC/IKE.

If you can disable the NAT firewall in the router or are able to use bridge mode then you may get lucky.

The answers are in the message logs at the times you tried to connect via the PPTP VPN.

Jon

[jester]

Hi JohnB,

Thanks for your reply! I don't know if that is the case because i used my SME-server in server-only mode and forwarded from my router to the server, this worked just fine. Now i've put it in server-gateway mode (i had 2 nics, just used 1) and am forwarding evertything from this same modem to my server and i can't reach my remote server. The only other thing that has changed is that my remote server was SME6 before now it is 7RC2....

I'll have a look in the messages to see if i find something out of the ordenary.

jester.

[hardijs]

I have not been able to connect to another sme from behind a sme server either 6 or 7.
Could it be so that sme just does not support such thing?

[judgej]

I have not been able to connect to another sme from behind a sme server either 6 or 7.
Could it be so that sme just does not support such thing?

I have varying luck too, and have brought this up in prior discussions. I find it sometimes works, and sometimes does not. Messages in the SME log show that it is rejecting port 47 (GRE) packets, causing the PPTP connection to fail. Why it works sometimes, I'll never really know. Occasionally a reboot of the SME will get it working again. I've also read in some places that forcing an IP change of your PC (or Mac) can also get it working again, for a while.

I work from several sites using a single laptop, and VPN into various other sites. I find that the sites which work or don't work change from week to week. Some weeks I can connect to client A from home, but not from the office. Other weeks to client A from the office, but not from home. Yet other weeks from both, or from neither. That hints the IP address thing may have some truth in it, since there seems to be something that the outgoing SME server 'remembers' about my laptop for a week or so at a time, even after visiting several other locations in between. DHCP is the only thing that it should remember that long.

But yes, it is a definate problem with SME, and is not your router.

-- JJ

[jester]

Could this be worthy of a bug report?!

Only the port forwarding option in the server-manager panel is used for this so that would be a standard SME configuration. I don't know if letting through the protocol 47 (GRE) packet is within the scope of SME.

Also, if i would file a bug report i could only show logs of it not working and not logs of sometimes working.... wich might be more helpful.

Thoughts please,
jester.

[judgej]

Could this be worthy of a bug report?!

Here is the topic I raised on this issue six months ago, conplete with logs:

http://forums.contribs.org/index.php?topic=29401.0

The discussion went right over my head wrt forwarding and stateless sessions and stuff, but you may be able to extract something useful. All I know is that sometimes passing GRE from a PC, through an SME to a remote SME, *does* work about half the time. I just don't know what stops it working the other half of the time.

The VPN options seem to be stuck between a rock and a hard place:

1. Use Microsoft's PPTP, easy to set up on a PC or Mac, but requires GRE ports, which are essentially unreliable through an SME due to its special non-IP protocol. Score: one-nil to Windows.

2. Use IPSec, which is transported over standard TCP/IP ports, so reliable through an SME server, but requires a 20-step setup on MS Windows, involving a dozen security policy screens I never even knew existed in Windows XP until I tried to follow the steps. Score: one-nil to SME.

I am wondering, because PPTP was essentially designed for a single machine to negotiate a connection before exchanging IP information, whether an SME box will support only ONE machine in the internal network passing through protocol 47/GRE?

-- JJ