PPTP through NAT

brammator · June 30, 2005, 8:12am

by this configuration:

=office network=
MT 2.18.17
213.137.230.218
|
217.170.116.3
NAT, probably cisco
172.16.0.1
|
172.16.0.2
cisco pppoe concentrator
|
172.16.4.111 /pppoe interface
linux box, NAT
192.168.100.1
|
192.168.100.2
win2k workstation

I want to use PPTP VPN to reach office network from win2k workstation. It works fine if win2k has real (no NAT) address, but fails if NATed.

Other protocols and apps works throught 2 NAT normally.

When i try to connect, listener on linuxbox NAT displays:

ngrep -d eth1 '.' ! port 22
interface: eth1 (192.168.100.0/255.255.255.0)
filter: ip and ( ! port 22 )
match: .

T 192.168.100.2:1029 -> 213.137.230.218:1723 [AP]
.....+<M....................................................................................Microsoft Windows NT.......................
.....................

T 213.137.230.218:1723 -> 192.168.100.2:1029 [AP]
.....+<M....................mttest..........................................................MikroTik...................................
.....................

T 192.168.100.2:1029 -> 213.137.230.218:1723 [AP]
.....+<M......}+...,.............@.....................................................................................................
.................................

T 213.137.230.218:1723 -> 192.168.100.2:1029 [AP]
. ...+<M.................d......

T 192.168.100.2:1029 -> 213.137.230.218:1723 [AP]
.....+<M................

T 213.137.230.218:1723 -> 192.168.100.2:1029 [AP]
.....+<M................

? 192.168.100.2 -> 213.137.230.218 [proto 47]
0....0.........!...,..[.1...........N.......*%M"......R.....

-- until connection fails by error 619. MT displays
jun/29/2005 23:34:55 PPTP connection established from 217.170.116.3
jun/30/2005 02:58:25 PPTP connection established from 217.170.116.3
jun/30/2005 02:59:31 PPTP connection established from 217.170.116.3
jun/30/2005 03:00:57 PPTP connection established from 217.170.116.3

and no more.

What's to do?

andrewluck · June 30, 2005, 6:26pm

The packet sniff shows that GRE (proto 47) packets are not making it back to the Win2k box. Looks like one of the Cisco boxes is not setup to allow GRE. You need to run some packet traces a little closer to the office network.

Regards

Andrew

brammator · July 5, 2005, 8:29am

More sniffing, including
/ ip firewall rule input add protocol=gre action=passthrough log=yes comment=“” disabled=no
/ ip firewall rule output add protocol=gre action=passthrough log=yes comment=“” disabled=no

07:20:14.586048 IP 192.168.100.2.1033 > 213.137.230.218.1723: S 4248935360:4248935360(0) win 16384 <mss 1460,nop,nop,sackOK>
07:20:14.595509 IP 213.137.230.218.1723 > 192.168.100.2.1033: S 790991409:790991409(0) ack 4248935361 win 5640 <mss 1410,nop,nop,sackOK>
07:20:14.595760 IP 192.168.100.2.1033 > 213.137.230.218.1723: . ack 1 win 16920
07:20:14.595947 IP 192.168.100.2.1033 > 213.137.230.218.1723: P 1:157(156) ack 1 win 16920: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2195) [|pptp]
07:20:14.599268 IP 213.137.230.218.1723 > 192.168.100.2.1033: . ack 157 win 5640
07:20:14.604823 IP 213.137.230.218.1723 > 192.168.100.2.1033: P 1:157(156) ack 157 win 5640: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP(S) BEARER_CAP() MAX_CHAN(0) FIRM_REV(1) [|pptp]
07:20:14.605285 IP 192.168.100.2.1033 > 213.137.230.218.1723: P 157:325(168) ack 157 win 16764: pptp CTRL_MSGTYPE=OCRQ CALL_ID(32768) CALL_SER_NUM(32846) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp]
07:20:14.608559 IP 213.137.230.218.1723 > 192.168.100.2.1033: P 157:189(32) ack 325 win 6432: pptp CTRL_MSGTYPE=OCRP CALL_ID(24) PEER_CALL_ID(32768) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000) RECV_WIN(100) PROC_DELAY(0) PHY_CHAN_ID(0)
07:20:14.610630 IP 192.168.100.2.1033 > 213.137.230.218.1723: P 325:349(24) ack 189 win 16732: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(24) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
07:20:14.612382 IP 192.168.100.2 > 213.137.230.218: call 24 seq 0 gre-ppp-payload
07:20:14.613139 IP 213.137.230.218.1723 > 192.168.100.2.1033: P 189:213(24) ack 349 win 6432: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(62004) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
07:20:14.776064 IP 192.168.100.2.1033 > 213.137.230.218.1723: . ack 213 win 16708
07:20:16.605276 IP 192.168.100.2 > 213.137.230.218: call 24 seq 1 gre-ppp-payload
07:20:19.604556 IP 192.168.100.2 > 213.137.230.218: call 24 seq 2 gre-ppp-payload
07:20:23.604715 IP 192.168.100.2 > 213.137.230.218: call 24 seq 3 gre-ppp-payload
07:20:27.604762 IP 192.168.100.2 > 213.137.230.218: call 24 seq 4 gre-ppp-payload
07:20:31.604908 IP 192.168.100.2 > 213.137.230.218: call 24 seq 5 gre-ppp-payload
07:20:35.604956 IP 192.168.100.2 > 213.137.230.218: call 24 seq 6 gre-ppp-payload
07:20:39.605095 IP 192.168.100.2 > 213.137.230.218: call 24 seq 7 gre-ppp-payload
07:20:43.605174 IP 192.168.100.2 > 213.137.230.218: call 24 seq 8 gre-ppp-payload
07:20:44.717098 IP 213.137.230.218.1723 > 192.168.100.2.1033: F 213:213(0) ack 349 win 6432
07:20:44.717323 IP 192.168.100.2.1033 > 213.137.230.218.1723: F 349:349(0) ack 214 win 16708
07:20:44.719447 IP 213.137.230.218.1723 > 192.168.100.2.1033: . ack 350 win 6432

07:19:21.321637 > 0800 88: IP 172.16.4.111.32769 > 172.16.0.4.53: 19964+ PTR? 2.100.168.192.in-addr.arpa. (44)
07:19:21.323112 < 0800 165: IP 172.16.0.4.53 > 172.16.4.111.32769: 19964 NXDomain 0/1/0 (121)
07:20:14.586189 > 0800 64: IP 172.16.4.111.1033 > 213.137.230.218.1723: S 4248935360:4248935360(0) win 16384 <mss 1452,nop,nop,sackOK>
07:20:14.595390 < 0800 64: IP 213.137.230.218.1723 > 172.16.4.111.1033: S 790991409:790991409(0) ack 4248935361 win 5640 <mss 1410,nop,nop,sackOK>
07:20:14.595811 > 0800 56: IP 172.16.4.111.1033 > 213.137.230.218.1723: . ack 1 win 16920
07:20:14.595985 > 0800 212: IP 172.16.4.111.1033 > 213.137.230.218.1723: P 1:157(156) ack 1 win 16920: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2195) [|pptp]
07:20:14.599189 < 0800 56: IP 213.137.230.218.1723 > 172.16.4.111.1033: . ack 157 win 5640
07:20:14.604784 < 0800 212: IP 213.137.230.218.1723 > 172.16.4.111.1033: P 1:157(156) ack 157 win 5640: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP(S) BEARER_CAP() MAX_CHAN(0) FIRM_REV(1) [|pptp]
07:20:14.605313 > 0800 224: IP 172.16.4.111.1033 > 213.137.230.218.1723: P 157:325(168) ack 157 win 16764: pptp CTRL_MSGTYPE=OCRQ CALL_ID(32768) CALL_SER_NUM(32846) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp]
07:20:14.608520 < 0800 88: IP 213.137.230.218.1723 > 172.16.4.111.1033: P 157:189(32) ack 325 win 6432: pptp CTRL_MSGTYPE=OCRP CALL_ID(24) PEER_CALL_ID(32768) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000) RECV_WIN(100) PROC_DELAY(0) PHY_CHAN_ID(0)
07:20:14.610650 > 0800 80: IP 172.16.4.111.1033 > 213.137.230.218.1723: P 325:349(24) ack 189 win 16732: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(24) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
07:20:14.612428 > 0800 96: IP 172.16.4.111 > 213.137.230.218: call 24 seq 0 gre-ppp-payload
07:20:14.613101 < 0800 80: IP 213.137.230.218.1723 > 172.16.4.111.1033: P 189:213(24) ack 349 win 6432: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(62004) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
07:20:14.776106 > 0800 56: IP 172.16.4.111.1033 > 213.137.230.218.1723: . ack 213 win 16708
07:20:16.605334 > 0800 96: IP 172.16.4.111 > 213.137.230.218: call 24 seq 1 gre-ppp-payload
07:20:19.604616 > 0800 96: IP 172.16.4.111 > 213.137.230.218: call 24 seq 2 gre-ppp-payload
07:20:23.604775 > 0800 96: IP 172.16.4.111 > 213.137.230.218: call 24 seq 3 gre-ppp-payload
07:20:27.604826 > 0800 96: IP 172.16.4.111 > 213.137.230.218: call 24 seq 4 gre-ppp-payload
07:20:31.604971 > 0800 96: IP 172.16.4.111 > 213.137.230.218: call 24 seq 5 gre-ppp-payload
07:20:35.605013 > 0800 96: IP 172.16.4.111 > 213.137.230.218: call 24 seq 6 gre-ppp-payload
07:20:39.605155 > 0800 96: IP 172.16.4.111 > 213.137.230.218: call 24 seq 7 gre-ppp-payload
07:20:43.605234 > 0800 96: IP 172.16.4.111 > 213.137.230.218: call 24 seq 8 gre-ppp-payload
07:20:44.717016 < 0800 56: IP 213.137.230.218.1723 > 172.16.4.111.1033: F 213:213(0) ack 349 win 6432
07:20:44.717372 > 0800 56: IP 172.16.4.111.1033 > 213.137.230.218.1723: F 349:349(0) ack 214 win 16708
07:20:44.719308 < 0800 56: IP 213.137.230.218.1723 > 172.16.4.111.1033: . ack 350 win 6432

jul/04/2005 11:10:27 PPTP connection established from 217.170.116.3
jul/04/2005 11:10:27 input->PASSTHROUGH, in:v008_service, out:(local), src-mac 00:07:0e:c9:8c:ce, prot 47,
217.170.116.3->213.137.230.218, len 80
jul/04/2005 11:10:27 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 59
jul/04/2005 11:10:27 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 74
jul/04/2005 11:10:29 input->PASSTHROUGH, in:v008_service, out:(local), src-mac 00:07:0e:c9:8c:ce, prot 47,
217.170.116.3->213.137.230.218, len 80
jul/04/2005 11:10:29 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 78
jul/04/2005 11:10:30 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 55
jul/04/2005 11:10:32 input->PASSTHROUGH, in:v008_service, out:(local), src-mac 00:07:0e:c9:8c:ce, prot 47,
217.170.116.3->213.137.230.218, len 80
jul/04/2005 11:10:32 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 78
jul/04/2005 11:10:33 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 55
jul/04/2005 11:10:36 input->PASSTHROUGH, in:v008_service, out:(local), src-mac 00:07:0e:c9:8c:ce, prot 47,
217.170.116.3->213.137.230.218, len 80
jul/04/2005 11:10:36 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 78
jul/04/2005 11:10:36 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 55
jul/04/2005 11:10:39 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 55
jul/04/2005 11:10:40 input->PASSTHROUGH, in:v008_service, out:(local), src-mac 00:07:0e:c9:8c:ce, prot 47,
217.170.116.3->213.137.230.218, len 80
jul/04/2005 11:10:40 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 78
jul/04/2005 11:10:42 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 55
jul/04/2005 11:10:44 input->PASSTHROUGH, in:v008_service, out:(local), src-mac 00:07:0e:c9:8c:ce, prot 47,
217.170.116.3->213.137.230.218, len 80
jul/04/2005 11:10:44 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 78
jul/04/2005 11:10:45 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 55
jul/04/2005 11:10:48 input->PASSTHROUGH, in:v008_service, out:(local), src-mac 00:07:0e:c9:8c:ce, prot 47,
217.170.116.3->213.137.230.218, len 80
jul/04/2005 11:10:48 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 78
jul/04/2005 11:10:48 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 55
jul/04/2005 11:10:51 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 55
jul/04/2005 11:10:52 input->PASSTHROUGH, in:v008_service, out:(local), src-mac 00:07:0e:c9:8c:ce, prot 47,
217.170.116.3->213.137.230.218, len 80
jul/04/2005 11:10:52 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 78
jul/04/2005 11:10:54 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 55
jul/04/2005 11:10:56 input->PASSTHROUGH, in:v008_service, out:(local), src-mac 00:07:0e:c9:8c:ce, prot 47,
217.170.116.3->213.137.230.218, len 80
jul/04/2005 11:10:56 output->PASSTHROUGH, in:(local), out:v008_service, prot 47, 213.137.230.218->217.170.116.3, len 78