PPTPD connection tracking
in [Linux Networking]
|
Prev: interface rename ?
Next: ipsec rouing problem
From: markvr on 22 Nov 2006 12:23 Hello, I am having problems with pptp VPNs from XP clients, through a NATting Linux box with redhat compiled kernel 2.6.9 going to PoPToP linux boxes. Both VPNs with and without MPPE crypto aren't working. These were working fine with an old linux box with kernel 2.4.something so I am confused as to why it has stopped working now we have upgraded the firewall to a later release of RedHat. The firewall has TCP port 1723 and GRE being allowed through at both ends. I've tried to re-compile the latest kernel 2.6.18 making sure to include pptpd_connection tracking but it still doesn't seem to be working. Also, there is a file in the source called ../net/ipv4/netfilter/ip_conntrack_proto_gre.c but I can't find any option to build a module for this in the menuconfig whereas there is for other modules such as ip_conntrack_ftp. Does anyone know how I can configure this to build? This is needed for the PPTP connections. I find it strange that it worked fine with the old RedHat EL3 but now we upgraded to RH EL4 it isn't working. Does anyone have any ideas, I'm getting somewhat desperate!!! Thanks, Mark
From: Clifford Kite on 23 Nov 2006 11:43 markvr <markvanrossum(a)gmail.com> wrote: > Hello, > I am having problems with pptp VPNs from XP clients, through a NATting > Linux box with redhat compiled kernel 2.6.9 going to PoPToP linux > boxes. > Both VPNs with and without MPPE crypto aren't working. These were > working fine with an old linux box with kernel 2.4.something so I am > confused as to why it has stopped working now we have upgraded the > firewall to a later release of RedHat. > The firewall has TCP port 1723 and GRE being allowed through at both > ends. > I've tried to re-compile the latest kernel 2.6.18 making sure to > include pptpd_connection tracking but it still doesn't seem to be > working. > Also, there is a file in the source called > ./net/ipv4/netfilter/ip_conntrack_proto_gre.c but I can't find any > option to build a module for this in the menuconfig whereas there is > for other modules such as ip_conntrack_ftp. Does anyone know how I can > configure this to build? This is needed for the PPTP connections. > I find it strange that it worked fine with the old RedHat EL3 but now > we upgraded to RH EL4 it isn't working. > Does anyone have any ideas, I'm getting somewhat desperate!!! I'm not an expert but the kernel documentation is sometimes left in the dust or worse. In the "PPTP protocol support" entry under "IP: Netfilter Configuration" (2.6.18) the help says x CONFIG_IP_NF_PPTP: x x x x This module adds support for PPTP (Point to Point Tunnelling x x Protocol, RFC2637) connection tracking and NAT. x x x x If you are running PPTP sessions over a stateful firewall or NAT x x box, you may want to enable this feature. x x x x Please note that not all PPTP modes of operation are supported yet. x x For more info, read top of the file x x net/ipv4/netfilter/ip_conntrack_pptp.c x x If you want to compile it as a module, say M here and read x x Documentation/modules.txt. If unsure, say `N'. x but there is no net/ipv4/netfilter/ip_conntrack_pptp.c, although there is a net/ipv4/netfilter/ip_conntrack_helper_pptp.c that claims in it's header to be ip_conntrack_pptp.c (Moreover there is no Documentation/modules.txt). Also in that header is * PPTP is a a protocol for creating virtual private networks. * It is a specification defined by Microsoft and some vendors * working with Microsoft. PPTP is built on top of a modified * version of the Internet Generic Routing Encapsulation Protocol. which suggests to me that the _modified_ GRE might be integral to PPTP in the kernel. If you believe headers... And to add even more fuzz, the header of ip_conntrack_proto_gre.c contains: /* * ip_nat_proto_gre.c - Version 2.0 * * Connection tracking protocol helper module for GRE. * The remaining comments in this header don't serve to clarify anything - at least not for me. There was a split in netfilter-related code into two branches somewhere after 2.6.10 and perhaps the developers are still playing catch-up (for interested readers, the other branch is called "Core Netfilter Configuration," aka Xtables). Good Luck. -- Clifford Kite
From: markvr on 24 Nov 2006 04:24 Clifford Kite wrote: > markvr <markvanrossum(a)gmail.com> wrote: > > Hello, > > > I am having problems with pptp VPNs from XP clients, through a NATting > > Linux box with redhat compiled kernel 2.6.9 going to PoPToP linux > > boxes. > > > Both VPNs with and without MPPE crypto aren't working. These were > > working fine with an old linux box with kernel 2.4.something so I am > > confused as to why it has stopped working now we have upgraded the > > firewall to a later release of RedHat. > > > The firewall has TCP port 1723 and GRE being allowed through at both > > ends. > > > I've tried to re-compile the latest kernel 2.6.18 making sure to > > include pptpd_connection tracking but it still doesn't seem to be > > working. > > > Also, there is a file in the source called > > ./net/ipv4/netfilter/ip_conntrack_proto_gre.c but I can't find any > > option to build a module for this in the menuconfig whereas there is > > for other modules such as ip_conntrack_ftp. Does anyone know how I can > > configure this to build? This is needed for the PPTP connections. > > > I find it strange that it worked fine with the old RedHat EL3 but now > > we upgraded to RH EL4 it isn't working. > > > Does anyone have any ideas, I'm getting somewhat desperate!!! > > I'm not an expert but the kernel documentation is sometimes left > in the dust or worse. In the "PPTP protocol support" entry under > "IP: Netfilter Configuration" (2.6.18) the help says > > x CONFIG_IP_NF_PPTP: x > x x > x This module adds support for PPTP (Point to Point Tunnelling x > x Protocol, RFC2637) connection tracking and NAT. x > x x > x If you are running PPTP sessions over a stateful firewall or NAT x > x box, you may want to enable this feature. x > x x > x Please note that not all PPTP modes of operation are supported yet. x > x For more info, read top of the file x > x net/ipv4/netfilter/ip_conntrack_pptp.c x > x If you want to compile it as a module, say M here and read x > x Documentation/modules.txt. If unsure, say `N'. x > > but there is no net/ipv4/netfilter/ip_conntrack_pptp.c, although there > is a net/ipv4/netfilter/ip_conntrack_helper_pptp.c that claims in it's > header to be ip_conntrack_pptp.c (Moreover there is no > Documentation/modules.txt). > > Also in that header is > > * PPTP is a a protocol for creating virtual private networks. > * It is a specification defined by Microsoft and some vendors > * working with Microsoft. PPTP is built on top of a modified > * version of the Internet Generic Routing Encapsulation Protocol. > > which suggests to me that the _modified_ GRE might be integral to PPTP > in the kernel. If you believe headers... > > And to add even more fuzz, the header of ip_conntrack_proto_gre.c > contains: > > /* > * ip_nat_proto_gre.c - Version 2.0 > * > * Connection tracking protocol helper module for GRE. > * > > The remaining comments in this header don't serve to clarify anything - > at least not for me. There was a split in netfilter-related code into > two branches somewhere after 2.6.10 and perhaps the developers are still > playing catch-up (for interested readers, the other branch is called > "Core Netfilter Configuration," aka Xtables). > > Good Luck. > > -- > Clifford Kite Thankyou for the reply, as you say, it all seems to be a bit confusing. Surely I can't be the only person with this problem? I'm really confused as to why it worked on an old kernel, but not on the new ones. I don't know much about kernels, but could I compile an old 2.4 kernel and use that or is that likely to cause other problems? The new OS is CentOS 4.2 (basically RedHat EL4). Any suggestions from anyone??!! cheers, mark
From: Pascal Hambourg on 25 Nov 2006 20:14 Hello, markvr a �crit : > Clifford Kite wrote: > >>markvr <markvanrossum(a)gmail.com> wrote: >> >>>I am having problems with pptp VPNs from XP clients, through a NATting >>>Linux box with redhat compiled kernel 2.6.9 going to PoPToP linux >>>boxes. Where is the NAT box located ? On the client or server side ? And what does it do exactly ? Does it SNAT/MASQUERADE communications from the clients to the outside or DNAT communications from the outside to the servers ? Do the clients share the same public IP address ? >>>Both VPNs with and without MPPE crypto aren't working. I don't think MPPE is an issue here. What do you mean exactly by "aren't working" ? >>>These were >>>working fine with an old linux box with kernel 2.4.something so I am >>>confused as to why it has stopped working now we have upgraded the >>>firewall to a later release of RedHat. Maybe the kernel 2.4 included the pptp-contrack-nat patch from the patch-o-matic(-ng) but the kernel 2.6.9 was not. >>>The firewall has TCP port 1723 and GRE being allowed through at both >>>ends. Both ends ? >>>I've tried to re-compile the latest kernel 2.6.18 making sure to >>>include pptpd_connection tracking but it still doesn't seem to be >>>working. What do you mean exactly by "doesn't seem to be working" ? If the PPTP conntrack and NAT helper was compiled as modules, did you load the modules ip_conntrack_pptp.ko and ip_nat_pptp.ko ? >>>Also, there is a file in the source called >>>./net/ipv4/netfilter/ip_conntrack_proto_gre.c but I can't find any >>>option to build a module for this in the menuconfig whereas there is >>>for other modules such as ip_conntrack_ftp. Does anyone know how I can >>>configure this to build? This is needed for the PPTP connections. The files ip_conntrack_proto_gre.c and ip_nat_proto_gre.c are just ones of the source files needed to build the kernel modules ip_conntrack_pptp and ip_nat_pptp. You can see the module build dependencies in the Makefile in net/ipv4/netfilter/ : ip_conntrack_pptp-objs := ip_conntrack_helper_pptp.o ip_conntrack_proto_gre.o ip_nat_pptp-objs := ip_nat_helper_pptp.o ip_nat_proto_gre.o Note : ip_conntrack_proto_gre and ip_nat_proto_gre were built as separate modules in the original pptp-conntrack-nat patch from the patch-o-matic-ng, but they were merged into the pptp helper modules when the patch was included in the vanilla kernel 2.6.14. >>I'm not an expert but the kernel documentation is sometimes left >>in the dust or worse. In the "PPTP protocol support" entry under >>"IP: Netfilter Configuration" (2.6.18) the help says >> >> x CONFIG_IP_NF_PPTP: x >> x x >> x This module adds support for PPTP (Point to Point Tunnelling x >> x Protocol, RFC2637) connection tracking and NAT. x >> x x >> x If you are running PPTP sessions over a stateful firewall or NAT x >> x box, you may want to enable this feature. x >> x x >> x Please note that not all PPTP modes of operation are supported yet. x >> x For more info, read top of the file x >> x net/ipv4/netfilter/ip_conntrack_pptp.c x >> x If you want to compile it as a module, say M here and read x >> x Documentation/modules.txt. If unsure, say `N'. x >> >>but there is no net/ipv4/netfilter/ip_conntrack_pptp.c, although there >>is a net/ipv4/netfilter/ip_conntrack_helper_pptp.c that claims in it's >>header to be ip_conntrack_pptp.c (Moreover there is no >>Documentation/modules.txt). These are out-of-date comments inherited from the patch-o-matic-ng patch. [...] >>The remaining comments in this header don't serve to clarify anything - >>at least not for me. There was a split in netfilter-related code into >>two branches somewhere after 2.6.10 and perhaps the developers are still >>playing catch-up (for interested readers, the other branch is called >>"Core Netfilter Configuration," aka Xtables). The PPTP conntrack & NAT support was merged into 2.6.14, while the x_tables framework was added in 2.6.16. Anyway, x_tables is related to [ip|ip6|arp]tables matches and target, not conntrack & NAT helpers. Or maybe are you talking about the new connection tracking framework (nf_conntrack) which was merged in 2.6.15 as an alternative to the traditional ip_conntrack but does not support NAT nor many special protocols helpers (including PPTP) yet ? > I'm really confused as to why it worked on an old kernel, but not on > the new ones. I don't know much about kernels, but could I compile an > old 2.4 kernel and use that or is that likely to cause other problems? > The new OS is CentOS 4.2 (basically RedHat EL4). I don't know anything about RedHat or CentOS. If it still support kernels from the 2.4 series, you could try to build one that includes the pptp-conntrack-nat patch (not included in the vanilla 2.4). However, I think a recent kernel 2.6 may be preferable with a recent distribution.
From: Clifford Kite on 25 Nov 2006 21:44
Pascal Hambourg <boite-a-spam(a)plouf.fr.eu.org> wrote: > Hello, >> Clifford Kite wrote: >>>The remaining comments in this header don't serve to clarify anything - >>>at least not for me. There was a split in netfilter-related code into >>>two branches somewhere after 2.6.10 and perhaps the developers are still >>>playing catch-up (for interested readers, the other branch is called >>>"Core Netfilter Configuration," aka Xtables). > The PPTP conntrack & NAT support was merged into 2.6.14, while the > x_tables framework was added in 2.6.16. Anyway, x_tables is related to > [ip|ip6|arp]tables matches and target, not conntrack & NAT helpers. Or > maybe are you talking about the new connection tracking framework > (nf_conntrack) which was merged in 2.6.15 as an alternative to the > traditional ip_conntrack but does not support NAT nor many special > protocols helpers (including PPTP) yet ? I meant this option under "Core Netfilter Configuration:" <M> Netfilter Xtables support (required for ip_tables) The help says, in part: x CONFIG_NETFILTER_XTABLES: x x x x This is required if you intend to use any of ip_tables, x x ip6_tables or arp_tables. x The first 5 sub-configuration items are x <M> "CLASSIFY" target support x x <M> "MARK" target support x x < > "NFQUEUE" target Support x x < > "comment" match support x x < > "conntrack" connection tracking match support x This, under "IP: Netfilter Configuration," must be what you mean: x <M> Connection tracking (required for masq/NAT) x The help says, in part: x CONFIG_IP_NF_CONNTRACK: x x x x Connection tracking keeps a record of what packets have passed x x through your machine, in order to figure out how they are related x x into connections. x -- Clifford Kite /* The signal-to-noise ratio is too low in many [news] groups to make * them good candidates for archiving. * --- Mike Moraes, Answers to FAQs about Usenet */ |