Hello, Seeing PPTP NAT support in the 2.6.14 kernel was a very pleasant surprise -- I've been waiting years for a successor to the no-longer-maintained http://www.impsec.org/linux/masquerade/ip_masq_vpn.html -- but after hours of tinkering I haven't had any luck in getting it to work. When ip_nat_pptp isn't loaded, everything works fine. When ip_nat_pptp is loaded (via "modprobe ip_nat_pptp"), about 9 out of every 10 PPTP connection attempts hang and eventually time out. I'm connecting from a Windows 2000 machine through a Linux 2.6.14 NAT/firewall box to a Poptop PPTP server on the Internet. When the connection attempt is made on the Windows 2000 machine, it stops at "Verifying user name and password", then times out after about 30 seconds. On the Linux 2.6.14 box, here's what tethereal shows during the failed connection attempt (eth1 is the Internet-connected interface): # tethereal -ni eth1 host pptp-server Capturing on eth1 0.000000 firewall -> pptp-server TCP 1942 > 1723 [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460 0.014912 pptp-server -> firewall TCP 1723 > 1942 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 0.015048 firewall -> pptp-server TCP 1942 > 1723 [ACK] Seq=1 Ack=1 Win=65535 Len=0 0.015092 firewall -> pptp-server PPTP Start-Control-Connection-Request 0.032906 pptp-server -> firewall TCP 1723 > 1942 [ACK] Seq=1 Ack=157 Win=5840 Len=0 0.037927 pptp-server -> firewall PPTP Start-Control-Connection-Reply 0.038115 win2k -> pptp-server PPTP Outgoing-Call-Request 2.390464 firewall -> pptp-server PPTP Outgoing-Call-Request 2.415487 pptp-server -> firewall PPTP Outgoing-Call-Reply 2.417455 pptp-server -> firewall PPP LCP Configuration Request 2.418014 firewall -> pptp-server PPTP Set-Link-Info 2.421762 firewall -> pptp-server PPP LCP Configuration Request 2.442501 pptp-server -> firewall PPP LCP Configuration Reject 2.480567 pptp-server -> firewall TCP 1723 > 1942 [ACK] Seq=189 Ack=349 Win=5840 Len=0 4.421785 firewall -> pptp-server PPP LCP Configuration Request 4.435233 pptp-server -> firewall PPP LCP Configuration Reject 5.422681 pptp-server -> firewall PPP LCP Configuration Request 7.421689 firewall -> pptp-server PPP LCP Configuration Request 7.437743 pptp-server -> firewall PPP LCP Configuration Reject 8.430211 pptp-server -> firewall PPP LCP Configuration Request 11.421580 firewall -> pptp-server PPP LCP Configuration Request 11.439706 pptp-server -> firewall PPP LCP Configuration Request 11.442159 pptp-server -> firewall PPP LCP Configuration Reject [...] The Request/Reject pattern continues until the client times out. A rare successful connection looks the same, except I see "Ack" in place of the first "Reject". I tried simplifying my iptables firewall to just the following, but it still didn't work: # Generated by iptables-save v1.3.0 on Tue Nov 1 21:40:02 2005 *nat :OUTPUT ACCEPT [24:1754] :POSTROUTING ACCEPT [0:0] :PREROUTING ACCEPT [442:117619] -A POSTROUTING -o eth1 -j MASQUERADE COMMIT # Completed on Tue Nov 1 21:40:02 2005 # Generated by iptables-save v1.3.0 on Tue Nov 1 21:40:02 2005 *filter :FORWARD ACCEPT [672:246713] :INPUT ACCEPT [1232:125804] :OUTPUT ACCEPT [1202:159323] -A INPUT -p icmp -j ACCEPT -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT -A INPUT -i eth1 -j DROP COMMIT # Completed on Tue Nov 1 21:40:02 2005 Any ideas? Is there some configuration step I missed? (I couldn't find any documentation.) Thanks, Jordan Russell
