On Tue, 11 Feb 2003 11:54:08 +0100, Niels Bach <NB@maconomy.dk> wrote in message <E88493086664D511A1E4000103330E82027FE067@mail.maconomy.dk>: > Setup: > LAN A, LAN B, LAN C and LAN D all separate LAN's behind four different > firewalls. > > The only connection between the LAN's is NAT through their respective > firewalls. > > LAN D contains a PPTP server which I would like all the clients on all > four LAN's to be able to access. LAN D is protected with a firewall > (iptables/debian > 3.0/kernel-2.4.20/patch-o-matic-20030107/iptables-1.2.7a). > > Problem: > LAN A (working) > LAN B (working) > LAN C (broken -- only one connection at a time) > LAN D (containing the PPTP server) ..lan d is a dmz? > Details: > hmm it actually works from the 2 LAN's (A and B) but the last one is > problematic. From the two working ones (LAN A and LAN B) you can > connect with no problem to the PPTP server behind the firewall > protecting LAN D. > > From the broken LAN (LAN C) the problem is as follow: > you can connect one person at a time. When this one person from LAN C > has finished and logged off there is a 10 minute/600 seconds timeout > before it is possible for another client to connect to the PPTP server > from LAN C (and we are still talking about the PPTP server on LAN D). > > So what I'm wondering about is what the difference is between > connections from LAN A and LAN B and connections from LAN C ??? ..some other type of tunnel running too? PPTP is a monopolizer, it wants the entire box for itself, but you _can_ use the box as a gateway for freeswan while it runs the poptop PPTP. > The only debugging information I found was in /proc/net/ip_conntrack > which looks like this: > -------------------------------------------------------- > gre 47 428648 timeout=600, stream_timeout=432000 src=x.x.x.x > dst=x.x.x.x version=1 protocol=0x880b srckey=0x0 dstkey=0xc3e7 > src=192.168.0.200 dst=x.x.x.x version=1 protocol=0x880b srckey=0xc3e7 > dstkey=0x47d[ASSURED] use=1 > > tcp 6 424347 ESTABLISHED src=x.x.x.x dst=x.x.x.x sport=1149 > dport=1723 src=192.168.0.200 dst=x.x.x.x sport=1723 dport=1149 [ASSURE > D] use=2 > > ........ > > ---------------------------------------------------------- > where x.x.x.x represents the IP numbers for the server and the client. > > The thing that is wondering me is that connections from the broken LAN > C hangs in the /proc/net/ip_conntrack file, this connection which is > still recorded was terminated more than one hour ago. Other > connections from LAN A and LAN B have been made since, but they leave > no trace ? > > Niels > > > -----Original Message----- > From: Diego Sarasua [mailto:debian@sarasuasys.com.ar] > Sent: 10. februar 2003 17:37 > To: Niels Bach > Subject: Re: PPTP through iptables firewall > > > ok then U have to make pptp support kernel compilation in your > firewalls and it will work for your clients > loading the properly iptables modules > > please reply to : dsarasua@sarasuasys.com.ar > <mailto:dsarasua@sarasuasys.com.ar> > > <mailto:asadopower@hotmail.com> > > anything U need to serv U > bye > Diego > > ----- Original Message ----- > From: Niels Bach <mailto:NB@maconomy.dk> > To: 'Diego Sarasua' <mailto:debian@sarasuasys.com.ar> > Sent: Monday, February 10, 2003 1:17 PM > Subject: RE: PPTP through iptables firewall > > 3 LAN behind 3 different firewalls. > > On one LAN a PPTP server is placed and I want to access it from the > clients placed on the different LANs. > > Niels > > > -----Original Message----- > From: Diego Sarasua [mailto:debian@sarasuasys.com.ar] > Sent: 7. februar 2003 17:52 > To: Niels Bach > Subject: Re: PPTP through iptables firewall > > > Please givme some more info > Are U talking of this ? > > USER\ > USER --------> Firewall !! PPTP Server!! > USER/ > > Thanks > Diego > i have "patch-o-mated" my server with kernel 2.4.20 and it doesnt > work , try with lower version of kernel i have workig around 5 > servers one with 2.4.20 and 4 with 2.4..17 > thanks > bye > Diego > > ----- Original Message ----- > > From: Niels Bach <mailto:NB@maconomy.dk> > To: 'netfilter@lists.netfilter.org' > <mailto:'netfilter@lists.netfilter.org'> > > Sent: Friday, February 07, 2003 5:43 AM > Subject: PPTP through iptables firewall > > > > I have an MS PPTP server (win2k) behind a linux firewall (kernel > 2.4.20 / iptables 1.2.7a) this does not work very well. You can only > connect from one source at a time. Then there is a 10 minute (600 > seconds) timeout before the next connection from a different source > can be made. If you come from a LAN that is NAT'ed to one IP address > (the firewalls) then all these clients can connect simultaneously. So > it is either one client with a public ip address or several clients > sharing a public IP address. But once their is a connection (either > type) everybody else is blocked out. > > I have tried to patch the kernel (patch-o-matic-20030107) with the > pptp-conntrack-nat.patch. With this patch the firewall is able to > recognize the GRE protocol. This can be seen in /proc/net/ip_conntrack > where the connections involving GRE has changed from UNKNOWN to GRE. > But with this patch it is not possible to connect, now the windows > client only reach"verifying username and password" and then times out. > > > Without the patch it is possible to connect to the server one at a > time and wait 10 minutes before the next connection from a different > location > > With the patch it is not possible to connect at all. > > I run Debian 3.0 (woody) Kernel 2.4.20 and iptables 1.2.7a with the > patched version and 1.2.6a with the unpatched version of the kernel. > > I have seen more people talking about this issue on the web, but no > one seems to have at solution. > > regards Niels > > > -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case.
