hello, we have a problem with pptp/gre connection tracking. scenario 1: PC -> Router 1 -> internet -> Router 2 (pptp client) (pptp NAT) (poptop server (no NAT)) (windows xp) 172.30.255.1/16 -> 172.30.0.177/16 <-> 10.20.10.177/16 -> -> 10.20.10.216/16 Problem: If the connection tracking on the poptop server router is loaded, the connection fails. -> (Operation not permitted.. see log) If not.. the connection establishes (partially) fine. That behaviour only happens if the NAT router is involved. Scenario 2 works fine. Our Router: our Router is a big-endian Motorola MPC 857 2.4.18, iptables 1.2.8 and patch-o-matic-20030615 ---------- So the following scenario works if the conntrack table is empty (with or without the conntrack module loaded) on the poptop server machine. scenario 2: PC -> internet -> Router 2 (pptp client) (poptop server (no NAT)) (windows xp) best regards Robert & Markus -------------- snip ... log of poptop server machine ------------------------- bash-2.05# Jun 26 09:55:12 daemon.info pptpd[2181]: CTRL: Client 10.20.0.55 control connection started Jun 26 09:55:12 daemon.info pptpd[2181]: CTRL: Starting call (launching pppd, opening GRE) Jun 26 09:55:12 daemon.debug klogd: ip_conntrack_proto_gre.c:ip_ct_gre_keymap_add: adding new entry c11d8670: 10.20.0.55:0xc000 -> 10.20.10.216:0x0:1:0x880b Jun 26 09:55:12 daemon.debug klogd: ip_conntrack_proto_gre.c:ip_ct_gre_keymap_add: adding new entry c11d8d70: 10.20.10.216:0x0 -> 10.20.0.55:0xc000:1:0x880b Jun 26 09:55:12 daemon.debug klogd: ip_conntrack_proto_gre.c:ip_ct_gre_keymap_add: adding new entry c11d8df0: 10.20.10.216:0x0 -> 10.20.0.55:0xc000:1:0x880b Jun 26 09:55:12 daemon.debug klogd: ip_conntrack_proto_gre.c:ip_ct_gre_keymap_add: adding new entry c11d8cb0: 10.20.0.55:0xc000 -> 10.20.10.216:0x0:1:0x880b Jun 26 09:55:12 daemon.debug klogd: ip_conntrack_proto_gre.c:gre_new: : 10.20.0.55:0x0 -> 10.20.10.216:0x0:1:0x880b Jun 26 09:55:12 daemon.notice ppp-poptop[2182]: pppd 2.4.2b1 started by root, uid 0 Jun 26 09:55:12 daemon.info ppp-poptop[2182]: Using interface ppp0 Jun 26 09:55:12 daemon.notice ppp-poptop[2182]: Connect: ppp0 <--> /dev/ttyp0 Jun 26 09:55:12 daemon.debug klogd: ip_conntrack_proto_gre.c:gre_new: : 10.20.10.216:0x0 -> 10.20.0.55:0xc000:1:0x880b Jun 26 09:55:12 daemon.debug klogd: ip_nat_proto_gre.c:gre_unique_tuple: min = 0, range_size = 1 Jun 26 09:55:12 daemon.debug klogd: ip_nat_proto_gre.c:gre_unique_tuple: c1eb5730: no NAT mapping Jun 26 09:55:12 daemon.debug klogd: ip_nat_proto_gre.c:gre_unique_tuple: c1eb5730: NATing GRE PPTP Jun 26 09:55:12 daemon.debug klogd: ip_nat_proto_gre.c:gre_unique_tuple: min = 1, range_size = 65535 Jun 26 09:55:12 daemon.debug klogd: ip_nat_proto_gre.c:gre_manip_pkt: call_id -> 0x0000 Jun 26 09:55:12 daemon.debug klogd: ip_nat_proto_gre.c:gre_unique_tuple: min = 0, range_size = 1 Jun 26 09:55:12 daemon.debug klogd: ip_nat_proto_gre.c:gre_unique_tuple: c1eb5730: no NAT mapping Jun 26 09:55:12 daemon.debug klogd: ip_conntrack_proto_gre.c:gre_destroy: entering Jun 26 09:55:12 daemon.debug klogd: ip_conntrack_proto_gre.c:ip_ct_gre_keymap_destroy: removing c11d8df0 from list Jun 26 09:55:12 daemon.debug klogd: ip_conntrack_proto_gre.c:ip_ct_gre_keymap_destroy: removing c11d8cb0 from list Jun 26 09:55:12 daemon.err pptpd[2181]: GRE: xmit failed from decaps_hdlc: Operation not permitted Jun 26 09:55:12 daemon.err pptpd[2181]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Jun 26 09:55:12 daemon.info pptpd[2181]: CTRL: Client 10.20.0.55 control connection finished Jun 26 09:55:12 daemon.debug klogd: ip_conntrack_proto_gre.c:gre_destroy: entering Jun 26 09:55:12 daemon.err pptpd[2181]: CTRL: Couldn't write packet to client. Jun 26 09:55:12 daemon.debug klogd: ip_conntrack_proto_gre.c:ip_ct_gre_keymap_destroy: removing c11d8670 from list Jun 26 09:55:12 daemon.notice ppp-poptop[2182]: Modem hangup Jun 26 09:55:12 daemon.err pptpd[2181]: CTRL: Couldn't write packet to client. Jun 26 09:55:12 daemon.debug klogd: ip_conntrack_proto_gre.c:ip_ct_gre_keymap_destroy: removing c11d8d70 from list Jun 26 09:55:12 daemon.notice ppp-poptop[2182]: Connection terminated. Jun 26 09:55:12 daemon.info ppp-poptop[2182]: Exit. ---------- end log -------------- bash-2.05# lsmod Module Size Used by ipt_string 2736 28 (autoclean) ipt_MARK 1312 31 (autoclean) ipt_LOG 4032 1 (autoclean) ipt_MASQUERADE 2768 1 (autoclean) ipt_psd 43520 2 (autoclean) ipt_state 1248 10 (autoclean) ipt_IPV4OPTSSTRIP 1504 1 (autoclean) ipt_limit 1616 4 (autoclean) ipt_mark 1040 3 (autoclean) iptable_mangle 2880 1 (autoclean) iptable_filter 2368 1 (autoclean) ip_conntrack_egg 3680 0 (unused) ip_nat_snmp_basic 10256 0 (unused) ip_nat_proto_gre 2752 0 (unused) ip_nat_amanda 2576 0 (unused) ip_conntrack_amanda 2624 1 [ip_nat_amanda] ip_nat_mms 4288 0 (unused) ip_conntrack_mms 4352 1 [ip_nat_mms] ip_conntrack_quake3 2896 1 (autoclean) ip_nat_quake3 2928 0 (unused) ip_nat_irc 3824 0 (unused) ip_conntrack_irc 4336 1 [ip_nat_irc] ip_nat_pptp 2992 0 (unused) ip_conntrack_pptp 3360 1 [ip_nat_pptp] ip_conntrack_proto_gre 5904 0 [ip_nat_pptp ip_conntrack_pptp] ip_nat_h323 3888 0 (unused) ip_conntrack_h323 3616 1 [ip_nat_h323] ip_nat_ftp 4912 0 (unused) iptable_nat 29792 11 [ipt_MASQUERADE ip_nat_snmp_basic ip_nat_proto_gre ip_nat_amanda ip_nat_mms ip_nat_quake3 ip_nat_i rc ip_nat_pptp ip_nat_h323 ip_nat_ftp] ip_tables 18416 14 [ipt_string ipt_MARK ipt_LOG ipt_MASQUERADE ipt_psd ipt_state ipt_IPV4OPTSSTRIP ipt_limit ipt_mark iptable_mangle iptable_filter iptable_nat] ip_conntrack_ftp 5472 1 [ip_nat_ftp] ip_conntrack 37248 11 [ipt_MASQUERADE ipt_state ip_conntrack_egg ip_nat_amanda ip_conntrack_amanda ip_nat_mms ip_conntra ck_mms ip_conntrack_quake3 ip_nat_quake3 ip_nat_irc ip_conntrack_irc ip_nat_pptp ip_conntrack_pptp ip_conntrack_proto_gre ip_nat_h32 3 ip_conntrack_h323 ip_nat_ftp iptable_nat ip_conntrack_ftp] ------------------------------ bash-2.05# iptables -vnL -t nat Chain PREROUTING (policy ACCEPT 107 packets, 15967 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 119 bytes) pkts bytes target prot opt in out source destination 4 722 MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 6 packets, 841 bytes) pkts bytes target prot opt in out source destination -------------------------------- bash-2.05# iptables -vnL Chain INPUT (policy ACCEPT 1 packets, 117 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination ------------------ Epygi Labs DE | Herrenstraße 23 Robert Allmeroth | 76133 Karlsruhe Tel: +49 721 20596 43 | Fax: +49 721 20596 59