Topic: VPN out from SME network troubles

[haymann]

Hi all,
I am having trouble VPN(ing) to another network from my SME network while using Windows XP VPN connection. It will connect with the remote server and then will hang for several seconds while validating username/password. Then eventually it will fail (I wrote the error down, but forgot to bring it to work w/ me...). Now if I use the Cisco VPN client I can connect just fine. I found this post that is kind of similar to my situation, but I am not trying to connect to another SME network.

I have tried connecting when I have a user setup to have VPN access into my SME network (I read that will open port 1723). I have tried w/out having any uses allowed to have VPN access into my SME network. And I have tried w/out having any uses allowed to have VPN access into my SME network, and manually forwarding port 1723 to my XP machine.

Am I missing something obvious? I confess that I don't know what logs that I should check for errors. In the messages log I can see that I changed port forwarding rules, but there don't seem to be any entries created when I try to initiate a VPN session.
Thank you,
Ryan

[kruhm]

I'm guessing you are running server-gateway?
Are you double-firewalled? (another router infront of sme?)
Have you turned on the firewall logs and looked at them?
(http://no.longer.valid/phpwiki/index.php/SecurityFAQ#firewall3)

[mmccarn]

I had the same problem after installing "Microsoft Live OneCare"... but only one one of two systems!

On the failing system I had to open OneCare, go to "View or Change Settings", "Firewall", "Advanced Settings", "Ports and Protocols", and create a custom entry as follows:

Name: PPTP-GRE
Other:    Protocol Number: 47
Direction: Both
Scope: Internet

If you have never seen a PPTP connection work to the specific destination you are attempting to reach, the problem could be that IP Protocol 47 is being blocked at the other end - this will cause the connection to stall after the username/password dialogue...

[haymann]

Sorry, been away for awhile...

I'm guessing you are running server-gateway?

Yes, I should have mentioned that.

Are you double-firewalled?

No, first thing off the modem.

Have you turned on the firewall logs and looked at them?

I followed the link you included, thanks. Now I just don't know what log to look at...

I had the same problem after installing "Microsoft Live OneCare"

I don't have that installed, but I did disable the Windows firewall, even though it has always worked before.

If you have never seen a PPTP connection work to the specific destination you are attempting to reach, the problem could be that IP Protocol 47 is being blocked at the other end

It has worked before, just not since I put in my SME server as the server-gateway.

I can still use the Cisco client, but I would like to use the Windows one as it is readily available.
Thanks,
Ryan

[mmccarn]

I could not find any log files affected by establishing a PPTP connection - even after running /sbin/e-smith/db configuration setprop masq Logging all.

I was able to generate comprehensive logs of the handshaking using "iptraf" (use Putty to connect, start "iptraf", select cOnfigure, press "L" to turn Logging ON if it is OFF, accept the default log file name - probably /var/log/iptraf/ip_traffic-1.log - then monitor all interfaces while you attempt to establish a connection)

I once heard that PPTP connections are supposed to have trouble if the MTU of any link between the two systems is too small - you might want to check your MTU.  My system connects using PPPoE; I have the following MTUs:
eth0: 1500
eth1: 1500
ppp0: 1492

Is this a "virgin" system, or do you have other contribs loaded?  I've used SMEs pretty extensively over the last 3 years or so - v6.01, v6.5, v7beta2 through 7.0rc3 - and haven't had any trouble making VPN connections out from my networks... (except for the OneCare issue I've already mentioned!)

If you want it I'll send you my "iptraf" log - but it's a bit messy to post here!  I do notice that after I initiate the connection there is traffic flowing both ways on port 1723 - from my system to the remote PPTP server, and from the remote server back to my workstation.  

I do *not* have any "port forwarding" rules for port 1723.

I *do* have my SME server setup as a VPN server (I like VPNs - I always set them up to support remote VPN connections).

Another  possibility: is the *local network* number at the remote end the same as at the workstation end, or the same as the WAN IP on the SME server?  That is - if you *could* connect, would the VPN IP address be in a subnet that already exists in the SME server's routing table?  This could cause problems...

To be more concrete:
SME LAN: 192.168.200.x
SME WAN: 71.246.xxx.yyy
Remote Public IP: 72.244.ccc.ddd
Remote LAN: 192.168.123.x

If my "Remote LAN" was on the 71.246.xxx. network, or on the 192.168.200. network, PPTP would not work.

Good luck; keep us posted!

[haymann]

Is this a "virgin" system, or do you have other contribs loaded?

I do have a few contribs installed: sme7admin; SARG; login script; and phpmyadmin.

Another possibility: is the *local network* number at the remote end the same as at the workstation end, or the same as the WAN IP on the SME server? That is - if you *could* connect, would the VPN IP address be in a subnet that already exists in the SME server's routing table? This could cause problems...

No, they different...
I did realize that that the the Cisco connection that is working is actually using IPSec/UDP. I can't seem to get this setup right w/ the XP client... Also I tried connecting from a different workstation with the same results. Someday when I have the time I will try from infront of the SME server and see what happens.
Ryan

[haymann]

Well I just moved my pfSense in place and changed my SME server to a server only config and I can VPN into my work network using the MS VPN client . I haven't changed anything on the pfSense box yet...
Ryan

[jester]

Maybe you should look at this bug report: http://bugs.contribs.org/show_bug.cgi?id=740

With installing contribs you could have activated a non standard repository for yum and a not yet supported kernel might have been installed... who can be giving trouble with PPTP.

regards,
jester.

[raem]

mmccarn

>...I could not find any log files affected by establishing a PPTP connection

Look in the /var/log/messages log file on the server that you are VPNing into.