Re: PPTPD connection tracking
- From: "markvr" <markvanrossum@xxxxxxxxx>
- Date: 24 Nov 2006 01:24:41 -0800
Clifford Kite wrote:
markvr <markvanrossum@xxxxxxxxx> wrote:
Hello,
I am having problems with pptp VPNs from XP clients, through a NATting
Linux box with redhat compiled kernel 2.6.9 going to PoPToP linux
boxes.
Both VPNs with and without MPPE crypto aren't working. These were
working fine with an old linux box with kernel 2.4.something so I am
confused as to why it has stopped working now we have upgraded the
firewall to a later release of RedHat.
The firewall has TCP port 1723 and GRE being allowed through at both
ends.
I've tried to re-compile the latest kernel 2.6.18 making sure to
include pptpd_connection tracking but it still doesn't seem to be
working.
Also, there is a file in the source called
./net/ipv4/netfilter/ip_conntrack_proto_gre.c but I can't find any
option to build a module for this in the menuconfig whereas there is
for other modules such as ip_conntrack_ftp. Does anyone know how I can
configure this to build? This is needed for the PPTP connections.
I find it strange that it worked fine with the old RedHat EL3 but now
we upgraded to RH EL4 it isn't working.
Does anyone have any ideas, I'm getting somewhat desperate!!!
I'm not an expert but the kernel documentation is sometimes left
in the dust or worse. In the "PPTP protocol support" entry under
"IP: Netfilter Configuration" (2.6.18) the help says
x CONFIG_IP_NF_PPTP: x
x x
x This module adds support for PPTP (Point to Point Tunnelling x
x Protocol, RFC2637) connection tracking and NAT. x
x x
x If you are running PPTP sessions over a stateful firewall or NAT x
x box, you may want to enable this feature. x
x x
x Please note that not all PPTP modes of operation are supported yet. x
x For more info, read top of the file x
x net/ipv4/netfilter/ip_conntrack_pptp.c x
x If you want to compile it as a module, say M here and read x
x Documentation/modules.txt. If unsure, say `N'. x
but there is no net/ipv4/netfilter/ip_conntrack_pptp.c, although there
is a net/ipv4/netfilter/ip_conntrack_helper_pptp.c that claims in it's
header to be ip_conntrack_pptp.c (Moreover there is no
Documentation/modules.txt).
Also in that header is
* PPTP is a a protocol for creating virtual private networks.
* It is a specification defined by Microsoft and some vendors
* working with Microsoft. PPTP is built on top of a modified
* version of the Internet Generic Routing Encapsulation Protocol.
which suggests to me that the _modified_ GRE might be integral to PPTP
in the kernel. If you believe headers...
And to add even more fuzz, the header of ip_conntrack_proto_gre.c
contains:
/*
* ip_nat_proto_gre.c - Version 2.0
*
* Connection tracking protocol helper module for GRE.
*
The remaining comments in this header don't serve to clarify anything -
at least not for me. There was a split in netfilter-related code into
two branches somewhere after 2.6.10 and perhaps the developers are still
playing catch-up (for interested readers, the other branch is called
"Core Netfilter Configuration," aka Xtables).
Good Luck.
--
Clifford Kite
Thankyou for the reply, as you say, it all seems to be a bit confusing.
Surely I can't be the only person with this problem?
I'm really confused as to why it worked on an old kernel, but not on
the new ones. I don't know much about kernels, but could I compile an
old 2.4 kernel and use that or is that likely to cause other problems?
The new OS is CentOS 4.2 (basically RedHat EL4).
Any suggestions from anyone??!!
cheers,
mark
.
- Follow-Ups:
- Re: PPTPD connection tracking
- From: Pascal Hambourg
- Re: PPTPD connection tracking
- References:
- PPTPD connection tracking
- From: markvr
- Re: PPTPD connection tracking
- From: Clifford Kite
- PPTPD connection tracking
- Prev by Date: Re: Need some help in Routing in Linux
- Next by Date: Re: weird iptables behaviour
- Previous by thread: Re: PPTPD connection tracking
- Next by thread: Re: PPTPD connection tracking
- Index(es):
Relevant Pages
|
