Topic: Portforward 1723 for authentication against a sbs 2003 server.

[Ruval]

Dear All

I have been trying to get my version of SME 7.2 (All latest updates applied) to allow vpn pass through, I can see that there has been problems with this and there is still a bug list open for this pirticular problem.

http://bugs.contribs.org/show_bug.cgi?id=1131

I am afriaid i was caught with my pants down on this one as i thought it should be able to handle this ok, All my other portforwards are working fine, Except 1723 will refuse to work for me.

In the bug report it says the following.
The workaround is to forward PPTP via the Port Forwarding panel and add an
explicit rule to forward GRE traffic.

Would anyone have any links of how to do this and also where these rules go? Will this be fixed in the up and coming releases.

Again thank you very much for any help received.

[Ruval]

I can find loads of things on here about this problem, But it looks like it isn't fixed.

Is there anyone who can help?

thanks to all

[raem]

Ruval

The workaround is to forward PPTP via the Port Forwarding panel and add an
explicit rule to forward GRE traffic.

Reading the bug report completely, suggests there is still some significant amount of work to be done to get this functionality.
I think it is talking about masq rules ie iptables, but it seems there is more to it than that, with the requirement for various modules to be installed, which are not yet developed/tested/functional.

As Charlie stated:
"We aren't loading those modules because nobody has yet tested that they work. I
collected the patches some time ago, but I have no facilities or motivation for
testing PPTP VPN."

Perhaps the motivation would be financial sponsorship of the development work.
Contact Charlie and/or Gordon directly for that.

If your business activity seriously requires the functionality, then it should reasonable to consider sponsoring the development.

[pfloor]

I was faced with this problem and actually tried to help with bug 1131 but the kmods didn't seem to work correctly and I haven't seen the conntrack-nat modules built for the current kernel lately.  I had to give up because I had to convert my test servers into production and couldn't test anymore.  There are possibly other methods to accomplish what you need, I ended up using RDP instead.  Tell us about your configuration and needs and lets see if we can help you come up with a solution.

What is your need for VPN to the internal machine?
Can you VPN into the SME Server and then navigate to the internal machine?
Can you use a different protocol?
The internal machine a Windows box, will RDP work for your situation?

[Ruval]

Hi Pfloor,

I am sorry that i did not get back to you sooner i have been away and thank you very much for your offer of help.

Q)What is your need for VPN to the internal machine?
A)My need is to allow port 1723 through so that authentication against the SBS server can take place. [/font]

Q)Can you VPN into the SME Server and then navigate to the internal machine?
A)Yes i can do this, but the server and workstations are in a domain i have setup vpn on the SME server temporary just so that users can connect. I find this slow and i have also pointed the SME dns to the SBS server.

O)Can you use a different protocol?
A)I don't think so, for VPN pass through and this also uses 47 GRE not just port 1723, I could be wrong?

The internal machine a Windows box, will RDP work for your situation?
I dont think RDP would be the answer here, again i may be wrong. It seems that half of vpn pass through is already available and that GRE 47 seems to be the sticking point.

I have been checking a couple of sites
http://linux.derkeiler.com/Newsgroups/linux.redhat/2004-01/0448.html
http://groups.google.com/group/comp.os.linux.network/browse_thread/thread/b175f7e45856e73d
http://www.experts-exchange.com/Networking/Linux_Networking/Q_21634878.html

On the first site it suggests the use of iptables. Being new to the Linux game i am not to sure yet the best way of doing this so i will carry on checking out sites and testing.

Thanks again

Ruval

[CharlieBrady]

A)My need is to allow port 1723 through so that authentication against the SBS server can take place.

Port 1723 carries the control channel of a VPN services - it's not an authentication service. You wish to create a VPN connection to the SBS server, correct? What actually happens when you port forward port 1723 and then try to create your VPN connection?

[pfloor]

Port 1723 carries the control channel of a VPN services - it's not an authentication service. You wish to create a VPN connection to the SBS server, correct? What actually happens when you port forward port 1723 and then try to create your VPN connection?

I can attest that it doesn't work.  He will get Error #721 on the client side.  There are 2 possible scenarios:

1-Load the proto_gre nat/conntrack modules and try again.  Problem is that these modules aren't built.

2-Forward the GRE protocol to the internal machine via a custom template.  Forwarding the GRE protocol is reported to work on other distros using iptables.

I couldn't work on bug 1131 anymore due to loss of test equipment.  Since Ruval has a working setup I say we go back and re-visit the bug and try some additional configurations.

Ruval, can you participate in testing???

[CharlieBrady]

I can attest that it doesn't work.  He will get Error #721 on the client side.

Did you try with pptpd disabled or enabled on the SME server? Results might differ.

[pfloor]

Did you try with pptpd disabled or enabled on the SME server? Results might differ.

It failed in both cases (with pptpd enabled and disabled) and AFAIR both cases establish a connection then stall on verifying username and password and then errors out with error #721.

[arne]

I made a few tests and I think it apeared that the two kernel molules that is required to make gre nat is missing. (And I could not find an easy way to include them either.) I think that's the reason why forwarding gre (or tcp 1723) will not help. (As also mentioned above in the tread.)

[CharlieBrady]

I made a few tests and I think it apeared that the two kernel molules that is required to make gre nat is missing.

No additional kernel modules should be required. Please followup via the bug tracker (bug 1131) if you have any test results, or any further insight into what is and isn't happening.

[Ruval]

Hi Gents,

Thank you For for helping Charlie

Pfloor is correct i do get an Error #721 on the client side.

I am more than happy to test for you pfloor. If it helps everyone then i am happy to do it.

[pfloor]

Ruval, If you don't have a bugzilla account request one here:

http://bugs.contribs.org/createaccount.cgi

And then follow up in the bug here:

http://bugs.contribs.org/show_bug.cgi?id=1131

[Ruval]

Okey Dokey.....DONE!!

[Ruval]

Just got back in to the Uk yesterday is there any testing you would like me to try?

Thanks

Ruval

[CharlieBrady]

Just got back in to the Uk yesterday is there any testing you would like me to try?

Followup via the Bug Tracker, please.

[PhilTempleton]

Has anyone found a solution to the problem of forwarding GRE traffic?