Pierre, I have submitted an entry in bugzilla for this. Hopefully they can find a resolution soon. I have been fighting with this problem for nearly 6 months now under a variety of different builds with limited or no success. I don't think there are many people using the pptp conntrack modules in the capacity that I (or yourself probably) need to use them in. Here is the bugtrack information: https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=302 Hope this helps both of us in the long run. Gary ________________________________ From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Pierre Scholtes Sent: Fri 2/25/2005 12:30 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: PPTP conntrack with RHEL 4 (2.6.9) Hi Gary, hi list I have similar problems with a fedora core 3 (2.6.10) and in general 2.6.9 and 2.6.10 kernels. As soon as the ip_conntrack_pptp, ip_conntrack_proto_gre, ip_nat_pptp and ip_nat_proto_gre modules are loaded on my firewall I am unable to establish vpn connections going through the firewall. I tried several different patch-o-matic versions and iptables 1.2.11 and iptables 1.3.0: always the same result. Seems the conntrack-pptp patch doesn't work very well (or to be exact not at all with kernels 2.6.9 and 2.6.10) My question here: Did anyone get the conntack_pptp patch working with any other version of the 2.6 kernel? Any help would be appreciated because I still hope to get this working without having to go back to the 2.4 kernel. Thanks Pierre >Little more experimenting and some different/odd results... > >With the all for modules loaded I successfully made an outbound connection from the firewall >to remote POPTOP server. At the same time I had a remote PPTPClient (on RH 9) >establish an inbound PPTP connection to the same firewall. It also worked. >I dropped that connection multiple times and restablished it. >At one point in time I had two connections inbound to the firewall. > >Now, with the modules loaded no incoming PPTP connections can be made >with either a Windows XP or 2003 server. If I unload the modules then >I can make the same connection just fine. > >I have yet to test an outbound connection originating from behind >the firewall (as I don't have any Linux/PPTPClient test boxes left). > >I have played with with the MTU (1450, 1400, 1200) on the XP >workstation but it doesn't seem to do much. Packet fragmentation >shouldn't be a problem as it's on the same physical network. > >I was snooping around with ethereal and it seems that when the > modules are loaded and I connect with XP (or 2003) that they are >not responding. When I turn the modules off they work fine and >the packet gets answered by XP. The irony is that both packets >prior to XP's answer (or failure to answer) are identical with >the exception of packet sequence. > >It's boggling the mind that these things would be the same yet >XP/2003 decides not to answer it because the modules are loaded. > >Gary Smith Pierre Scholtes IT Consultant Alunys/AMSter - rue Bara 135 - 1070 Bruxelles Tel: +32 2 5562811 Fax: +32 2 5562810 ------ This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. We shall not be responsible nor liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. We do not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference." This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.amster.com
