PPTPD connection tracking

Hello,

I am having problems with pptp VPNs from XP clients, through a NATting
Linux box with redhat compiled kernel 2.6.9 going to PoPToP linux
boxes.

Both VPNs with and without MPPE crypto aren't working. These were
working fine with an old linux box with kernel 2.4.something so I am
confused as to why it has stopped working now we have upgraded the
firewall to a later release of RedHat.

The firewall has TCP port 1723 and GRE being allowed through at both
ends.

I've tried to re-compile the latest kernel 2.6.18 making sure to
include pptpd_connection tracking but it still doesn't seem to be
working.

Also, there is a file in the source called
../net/ipv4/netfilter/ip_conntrack_proto_gre.c but I can't find any
option to build a module for this in the menuconfig whereas there is
for other modules such as ip_conntrack_ftp. Does anyone know how I can
configure this to build? This is needed for the PPTP connections.

I find it strange that it worked fine with the old RedHat EL3 but now
we upgraded to RH EL4 it isn't working.

Does anyone have any ideas, I'm getting somewhat desperate!!!

Thanks,

Mark

markvr <(E-Mail Removed)> wrote:
> Hello,

> I am having problems with pptp VPNs from XP clients, through a NATting
> Linux box with redhat compiled kernel 2.6.9 going to PoPToP linux
> boxes.

> Both VPNs with and without MPPE crypto aren't working. These were
> working fine with an old linux box with kernel 2.4.something so I am
> confused as to why it has stopped working now we have upgraded the
> firewall to a later release of RedHat.

> The firewall has TCP port 1723 and GRE being allowed through at both
> ends.

> I've tried to re-compile the latest kernel 2.6.18 making sure to
> include pptpd_connection tracking but it still doesn't seem to be
> working.

> Also, there is a file in the source called
> ./net/ipv4/netfilter/ip_conntrack_proto_gre.c but I can't find any
> option to build a module for this in the menuconfig whereas there is
> for other modules such as ip_conntrack_ftp. Does anyone know how I can
> configure this to build? This is needed for the PPTP connections.

> I find it strange that it worked fine with the old RedHat EL3 but now
> we upgraded to RH EL4 it isn't working.

> Does anyone have any ideas, I'm getting somewhat desperate!!!

I'm not an expert but the kernel documentation is sometimes left
in the dust or worse. In the "PPTP protocol support" entry under
"IP: Netfilter Configuration" (2.6.18) the help says

x CONFIG_IP_NF_PPTP: x
x x
x This module adds support for PPTP (Point to Point Tunnelling x
x Protocol, RFC2637) connection tracking and NAT. x
x x
x If you are running PPTP sessions over a stateful firewall or NAT x
x box, you may want to enable this feature. x
x x
x Please note that not all PPTP modes of operation are supported yet. x
x For more info, read top of the file x
x net/ipv4/netfilter/ip_conntrack_pptp.c x
x If you want to compile it as a module, say M here and read x
x Documentation/modules.txt. If unsure, say `N'. x

but there is no net/ipv4/netfilter/ip_conntrack_pptp.c, although there
is a net/ipv4/netfilter/ip_conntrack_helper_pptp.c that claims in it's
header to be ip_conntrack_pptp.c (Moreover there is no
Documentation/modules.txt).

Also in that header is

* PPTP is a a protocol for creating virtual private networks.
* It is a specification defined by Microsoft and some vendors
* working with Microsoft. PPTP is built on top of a modified
* version of the Internet Generic Routing Encapsulation Protocol.

which suggests to me that the _modified_ GRE might be integral to PPTP
in the kernel. If you believe headers...

And to add even more fuzz, the header of ip_conntrack_proto_gre.c
contains:

/*
* ip_nat_proto_gre.c - Version 2.0
*
* Connection tracking protocol helper module for GRE.
*

The remaining comments in this header don't serve to clarify anything -
at least not for me. There was a split in netfilter-related code into
two branches somewhere after 2.6.10 and perhaps the developers are still
playing catch-up (for interested readers, the other branch is called
"Core Netfilter Configuration," aka Xtables).

Good Luck.

--
Clifford Kite

Clifford Kite wrote:
> markvr <(E-Mail Removed)> wrote:
> > Hello,
>
> > I am having problems with pptp VPNs from XP clients, through a NATting
> > Linux box with redhat compiled kernel 2.6.9 going to PoPToP linux
> > boxes.
>
> > Both VPNs with and without MPPE crypto aren't working. These were
> > working fine with an old linux box with kernel 2.4.something so I am
> > confused as to why it has stopped working now we have upgraded the
> > firewall to a later release of RedHat.
>
> > The firewall has TCP port 1723 and GRE being allowed through at both
> > ends.
>
> > I've tried to re-compile the latest kernel 2.6.18 making sure to
> > include pptpd_connection tracking but it still doesn't seem to be
> > working.
>
> > Also, there is a file in the source called
> > ./net/ipv4/netfilter/ip_conntrack_proto_gre.c but I can't find any
> > option to build a module for this in the menuconfig whereas there is
> > for other modules such as ip_conntrack_ftp. Does anyone know how I can
> > configure this to build? This is needed for the PPTP connections.
>
> > I find it strange that it worked fine with the old RedHat EL3 but now
> > we upgraded to RH EL4 it isn't working.
>
> > Does anyone have any ideas, I'm getting somewhat desperate!!!
>
> I'm not an expert but the kernel documentation is sometimes left
> in the dust or worse. In the "PPTP protocol support" entry under
> "IP: Netfilter Configuration" (2.6.18) the help says
>
> x CONFIG_IP_NF_PPTP: x
> x x
> x This module adds support for PPTP (Point to Point Tunnelling x
> x Protocol, RFC2637) connection tracking and NAT. x
> x x
> x If you are running PPTP sessions over a stateful firewall or NAT x
> x box, you may want to enable this feature. x
> x x
> x Please note that not all PPTP modes of operation are supported yet. x
> x For more info, read top of the file x
> x net/ipv4/netfilter/ip_conntrack_pptp.c x
> x If you want to compile it as a module, say M here and read x
> x Documentation/modules.txt. If unsure, say `N'. x
>
> but there is no net/ipv4/netfilter/ip_conntrack_pptp.c, although there
> is a net/ipv4/netfilter/ip_conntrack_helper_pptp.c that claims in it's
> header to be ip_conntrack_pptp.c (Moreover there is no
> Documentation/modules.txt).
>
> Also in that header is
>
> * PPTP is a a protocol for creating virtual private networks.
> * It is a specification defined by Microsoft and some vendors
> * working with Microsoft. PPTP is built on top of a modified
> * version of the Internet Generic Routing Encapsulation Protocol.
>
> which suggests to me that the _modified_ GRE might be integral to PPTP
> in the kernel. If you believe headers...
>
> And to add even more fuzz, the header of ip_conntrack_proto_gre.c
> contains:
>
> /*
> * ip_nat_proto_gre.c - Version 2.0
> *
> * Connection tracking protocol helper module for GRE.
> *
>
> The remaining comments in this header don't serve to clarify anything -
> at least not for me. There was a split in netfilter-related code into
> two branches somewhere after 2.6.10 and perhaps the developers are still
> playing catch-up (for interested readers, the other branch is called
> "Core Netfilter Configuration," aka Xtables).
>
> Good Luck.
>
> --
> Clifford Kite

Thankyou for the reply, as you say, it all seems to be a bit confusing.
Surely I can't be the only person with this problem?

I'm really confused as to why it worked on an old kernel, but not on
the new ones. I don't know much about kernels, but could I compile an
old 2.4 kernel and use that or is that likely to cause other problems?
The new OS is CentOS 4.2 (basically RedHat EL4).

Any suggestions from anyone??!!

cheers,

mark

Hello,

markvr a écrit :
> Clifford Kite wrote:
>
>>markvr <(E-Mail Removed)> wrote:
>>
>>>I am having problems with pptp VPNs from XP clients, through a NATting
>>>Linux box with redhat compiled kernel 2.6.9 going to PoPToP linux
>>>boxes.

Where is the NAT box located ? On the client or server side ? And what
does it do exactly ? Does it SNAT/MASQUERADE communications from the
clients to the outside or DNAT communications from the outside to the
servers ? Do the clients share the same public IP address ?

>>>Both VPNs with and without MPPE crypto aren't working.

I don't think MPPE is an issue here. What do you mean exactly by "aren't
working" ?

>>>These were
>>>working fine with an old linux box with kernel 2.4.something so I am
>>>confused as to why it has stopped working now we have upgraded the
>>>firewall to a later release of RedHat.

Maybe the kernel 2.4 included the pptp-contrack-nat patch from the
patch-o-matic(-ng) but the kernel 2.6.9 was not.

>>>The firewall has TCP port 1723 and GRE being allowed through at both
>>>ends.

Both ends ?

>>>I've tried to re-compile the latest kernel 2.6.18 making sure to
>>>include pptpd_connection tracking but it still doesn't seem to be
>>>working.

What do you mean exactly by "doesn't seem to be working" ? If the PPTP
conntrack and NAT helper was compiled as modules, did you load the
modules ip_conntrack_pptp.ko and ip_nat_pptp.ko ?

>>>Also, there is a file in the source called
>>>./net/ipv4/netfilter/ip_conntrack_proto_gre.c but I can't find any
>>>option to build a module for this in the menuconfig whereas there is
>>>for other modules such as ip_conntrack_ftp. Does anyone know how I can
>>>configure this to build? This is needed for the PPTP connections.

The files ip_conntrack_proto_gre.c and ip_nat_proto_gre.c are just ones
of the source files needed to build the kernel modules ip_conntrack_pptp
and ip_nat_pptp. You can see the module build dependencies in the
Makefile in net/ipv4/netfilter/ :

ip_conntrack_pptp-objs := ip_conntrack_helper_pptp.o
ip_conntrack_proto_gre.o
ip_nat_pptp-objs := ip_nat_helper_pptp.o ip_nat_proto_gre.o

Note : ip_conntrack_proto_gre and ip_nat_proto_gre were built as
separate modules in the original pptp-conntrack-nat patch from the
patch-o-matic-ng, but they were merged into the pptp helper modules when
the patch was included in the vanilla kernel 2.6.14.

>>I'm not an expert but the kernel documentation is sometimes left
>>in the dust or worse. In the "PPTP protocol support" entry under
>>"IP: Netfilter Configuration" (2.6.18) the help says
>>
>> x CONFIG_IP_NF_PPTP: x
>> x x
>> x This module adds support for PPTP (Point to Point Tunnelling x
>> x Protocol, RFC2637) connection tracking and NAT. x
>> x x
>> x If you are running PPTP sessions over a stateful firewall or NAT x
>> x box, you may want to enable this feature. x
>> x x
>> x Please note that not all PPTP modes of operation are supported yet. x
>> x For more info, read top of the file x
>> x net/ipv4/netfilter/ip_conntrack_pptp.c x
>> x If you want to compile it as a module, say M here and read x
>> x Documentation/modules.txt. If unsure, say `N'. x
>>
>>but there is no net/ipv4/netfilter/ip_conntrack_pptp.c, although there
>>is a net/ipv4/netfilter/ip_conntrack_helper_pptp.c that claims in it's
>>header to be ip_conntrack_pptp.c (Moreover there is no
>>Documentation/modules.txt).

These are out-of-date comments inherited from the patch-o-matic-ng patch.

[...]
>>The remaining comments in this header don't serve to clarify anything -
>>at least not for me. There was a split in netfilter-related code into
>>two branches somewhere after 2.6.10 and perhaps the developers are still
>>playing catch-up (for interested readers, the other branch is called
>>"Core Netfilter Configuration," aka Xtables).

The PPTP conntrack & NAT support was merged into 2.6.14, while the
x_tables framework was added in 2.6.16. Anyway, x_tables is related to
[ip|ip6|arp]tables matches and target, not conntrack & NAT helpers. Or
maybe are you talking about the new connection tracking framework
(nf_conntrack) which was merged in 2.6.15 as an alternative to the
traditional ip_conntrack but does not support NAT nor many special
protocols helpers (including PPTP) yet ?

> I'm really confused as to why it worked on an old kernel, but not on
> the new ones. I don't know much about kernels, but could I compile an
> old 2.4 kernel and use that or is that likely to cause other problems?
> The new OS is CentOS 4.2 (basically RedHat EL4).

I don't know anything about RedHat or CentOS. If it still support
kernels from the 2.4 series, you could try to build one that includes
the pptp-conntrack-nat patch (not included in the vanilla 2.4). However,
I think a recent kernel 2.6 may be preferable with a recent distribution.

Pascal Hambourg <boite-a-(E-Mail Removed)> wrote:
> Hello,
>> Clifford Kite wrote:
>>>The remaining comments in this header don't serve to clarify anything -
>>>at least not for me. There was a split in netfilter-related code into
>>>two branches somewhere after 2.6.10 and perhaps the developers are still
>>>playing catch-up (for interested readers, the other branch is called
>>>"Core Netfilter Configuration," aka Xtables).

> The PPTP conntrack & NAT support was merged into 2.6.14, while the
> x_tables framework was added in 2.6.16. Anyway, x_tables is related to
> [ip|ip6|arp]tables matches and target, not conntrack & NAT helpers. Or
> maybe are you talking about the new connection tracking framework
> (nf_conntrack) which was merged in 2.6.15 as an alternative to the
> traditional ip_conntrack but does not support NAT nor many special
> protocols helpers (including PPTP) yet ?

I meant this option under "Core Netfilter Configuration:"

<M> Netfilter Xtables support (required for ip_tables)

The help says, in part:

x CONFIG_NETFILTER_XTABLES: x
x x
x This is required if you intend to use any of ip_tables, x
x ip6_tables or arp_tables. x

The first 5 sub-configuration items are

x <M> "CLASSIFY" target support x
x <M> "MARK" target support x
x < > "NFQUEUE" target Support x
x < > "comment" match support x
x < > "conntrack" connection tracking match support x

This, under "IP: Netfilter Configuration," must be what you mean:

x <M> Connection tracking (required for masq/NAT) x

The help says, in part:

x CONFIG_IP_NF_CONNTRACK: x
x x
x Connection tracking keeps a record of what packets have passed x
x through your machine, in order to figure out how they are related x
x into connections. x

--
Clifford Kite
/* The signal-to-noise ratio is too low in many [news] groups to make
* them good candidates for archiving.
* --- Mike Moraes, Answers to FAQs about Usenet */

Clifford Kite a écrit :
>
> I meant this option under "Core Netfilter Configuration:"
>
> <M> Netfilter Xtables support (required for ip_tables)

Ok. But AFAIK, Xtables has nothing to do with conntrack & NAT helpers.

> This, under "IP: Netfilter Configuration," must be what you mean:
>
> x <M> Connection tracking (required for masq/NAT) x
> x CONFIG_IP_NF_CONNTRACK: x

No, this is the legacy IPv4 connection tracking inherited from kernel
2.4. I meant this :

Layer 3 Independent Connection tracking
CONFIG_NF_CONNTRACK:

Connection tracking keeps a record of what packets have passed
through your machine, in order to figure out how they are related
into connections.

Layer 3 independent connection tracking is experimental scheme
which generalize ip_conntrack to support other layer 3 protocols.

which is available in "Core Netfilter Configuration" only when you
deselect CONFIG_IP_NF_CONNTRACK because they are incompatible with each
other.

Pascal Hambourg <boite-a-(E-Mail Removed)> wrote:
> Clifford Kite a écrit :
>> This, under "IP: Netfilter Configuration," must be what you mean:
>>
>> x <M> Connection tracking (required for masq/NAT) x
>> x CONFIG_IP_NF_CONNTRACK: x

> No, this is the legacy IPv4 connection tracking inherited from kernel
> 2.4. I meant this :

> Layer 3 Independent Connection tracking
> CONFIG_NF_CONNTRACK:

> Connection tracking keeps a record of what packets have passed
> through your machine, in order to figure out how they are related
> into connections.

> Layer 3 independent connection tracking is experimental scheme
> which generalize ip_conntrack to support other layer 3 protocols.

> which is available in "Core Netfilter Configuration" only when you
> deselect CONFIG_IP_NF_CONNTRACK because they are incompatible with each
> other.

I think we may be using different kernels - it's 2.6.18 here. There's
nothing to indicate it is a legacy IPv4 item, notice it says "required
for masq/NAT." But there _is_ something resembling what you describe
in the last three lines above.

It's rather annoying too, because when you select/deselect

< > Netfilter netlink interface

in the section "Core Netfilter Configuration," the configuration item

< > Connection tracking netlink interface (EXPERIMENTAL) (NEW)
[from the help: CONFIG_IP_NF_CONNTRACK_NETLINK]

in the section "IP: Netfilter Configuration" appears/disappears!

Grrr.. No wonder the split into two sections gave me a headache
when configuring the kernel.

--
Clifford Kite
/* I hear and I forget. I see and I remember. I do and I understand.
--Confucius, 551-479 BC */

Pascal Hambourg wrote:
> Hello,
>
> markvr a écrit :
> > Clifford Kite wrote:
> >
> >>markvr <(E-Mail Removed)> wrote:
> >>
> >>>I am having problems with pptp VPNs from XP clients, through a NATting
> >>>Linux box with redhat compiled kernel 2.6.9 going to PoPToP linux
> >>>boxes.
>
> Where is the NAT box located ? On the client or server side ? And what
> does it do exactly ? Does it SNAT/MASQUERADE communications from the
> clients to the outside or DNAT communications from the outside to the
> servers ? Do the clients share the same public IP address ?

XP(internal range) -> ProblemLinuxBoxWithNating (public & private
IP)->Internet->LinuxHostWithPopTop(public IP)

>
> >>>Both VPNs with and without MPPE crypto aren't working.
>
> I don't think MPPE is an issue here. What do you mean exactly by "aren't
> working" ?
I shall clarify:
No VPNs with MPPE work at all. The logs on the remote POPTOP server
show errors about GRE tunnel failing. The VPNs without MPPE work
sometimes, but not reliably. They may connect once, and then try again
later and they won't connect.
Windows gives errors about "the connection could not be established".

>
> >>>These were
> >>>working fine with an old linux box with kernel 2.4.something so I am
> >>>confused as to why it has stopped working now we have upgraded the
> >>>firewall to a later release of RedHat.
>
> Maybe the kernel 2.4 included the pptp-contrack-nat patch from the
> patch-o-matic(-ng) but the kernel 2.6.9 was not.
I don't know what the old kernel included, it was the standard
"RedHat/CentOS" one for v3.

>
> >>>The firewall has TCP port 1723 and GRE being allowed through at both
> >>>ends.
>
> Both ends ?
Yes. Nothing here changed except the NATting box was upgraded, the
firewall script was copied over.

>
> >>>I've tried to re-compile the latest kernel 2.6.18 making sure to
> >>>include pptpd_connection tracking but it still doesn't seem to be
> >>>working.
>
> What do you mean exactly by "doesn't seem to be working" ? If the PPTP
> conntrack and NAT helper was compiled as modules, did you load the
> modules ip_conntrack_pptp.ko and ip_nat_pptp.ko ?
See above. Yep, tried loading them. No luck. Other things NAT fine,
just not PPTP connections.

I'm getting out of my depth here. I've never tried to compile a kernel
before and all these code forks and different types of conntracking is
getting a bit beyond me! I was hoping there would be a simple
solution.

At the moment the old box is back in and working, but has hardware
issues. I think I'll just put CentOS 3 onto new hardware as that seems
to work.

Thanks for the replies.

mark

Clifford Kite a écrit :
>
> I think we may be using different kernels - it's 2.6.18 here.

Same here.

> There's
> nothing to indicate it is a legacy IPv4 item, notice it says "required
> for masq/NAT."

"Legacy" does not mean it is obsolete yet (actually I didn't mean it).
The new layer 3 independent nf_conntrack still lacks some important
functionnalities such as IPv4 NAT, so the old ip_conntrack is still
required for NAT.

> But there _is_ something resembling what you describe
> in the last three lines above.

Above what ?

Pascal Hambourg <boite-a-(E-Mail Removed)> wrote:

> "Legacy" does not mean it is obsolete yet (actually I didn't mean it).
> The new layer 3 independent nf_conntrack still lacks some important
> functionnalities such as IPv4 NAT, so the old ip_conntrack is still
> required for NAT.

>> But there _is_ something resembling what you describe
>> in the last three lines above.

> Above what ?

Above the current line.

--
Clifford Kite
/* My confidence in this answer (X), on a scale of 0 to 10:
|----|----|----|----|----|----|----|----|----|----X
0----1----2----3----4----5----6----7----8----9----10 */