PPTP Problem

Security Gateway Discussions
cris978
Posts: 9
Joined: 19 Feb 2009, 23:07

PPTP Problem

Post by cris978 » 02 Sep 2010, 02:43

Hello,

I try to connect to SG51 from Win XP - Vista client (VPN PPTP).
Here the line error I've found searching the Clavister log:

2010-09-02 02:46:51 2010-09-02 02:47:59 Clavister 06000051 DropAll Notice RULE ruleset_drop_packet drop wan:82.xx.xx.xx:51619 192.168.0.1:1723 TCP

Note the 1723 port (VPN PPTP).
The PPP parameters are all activated.
VPN IPSEC works fine.. (from Win XP-Vista-7 to Clavister)

I have many Clavister installed with the same VPN PPTP configuration, and I never had problems.

I've replaced SG51 hardware (with your hardware replacement service) few day ago without any change at my original configuration.

Thank's.

Cristian

danilovav
Posts: 181
Joined: 10 May 2009, 08:16
Location: Moscow, Russia
Contact:

Re: PPTP Problem

Post by danilovav » 02 Sep 2010, 03:29

Seems strange why you have drop from external address to internal. Do you try to connect from outside?
Do you have any rules (expecially, SAT) about pptp-suite?
Do you have "PPTP before rules" enabled?
BR, Alexandr Danilov

cris978
Posts: 9
Joined: 19 Feb 2009, 23:07

Re: PPTP Problem

Post by cris978 » 02 Sep 2010, 13:08

Yes I try to connect from my office. Here I have configured many VPN connections (PPTP and L2TP).
I followed your "how to" about VPN and I don't have pptp-suite rules.

PPTP Before Rules is enabled.

This is the same VPN configuration I use with many Clavister without any problem.

danilovav
Posts: 181
Joined: 10 May 2009, 08:16
Location: Moscow, Russia
Contact:

Re: PPTP Problem

Post by danilovav » 02 Sep 2010, 19:50

If you're trying to connect from inside, why in your log source intreface - wan?
Can you show by screenshots settings?
If your f/w is latest, try to debug by pcapdump utility in CLI.
BR, Alexandr Danilov

cris978
Posts: 9
Joined: 19 Feb 2009, 23:07

Re: PPTP Problem

Post by cris978 » 02 Sep 2010, 20:08

I'm trying to connect from outside (here in my office). The Clavister is located in the office of my client.

The Clavister is a SG-51 8.90.11 Core and FineTune.

Which screenshoots might be useful?

danilovav
Posts: 181
Joined: 10 May 2009, 08:16
Location: Moscow, Russia
Contact:

Re: PPTP Problem

Post by danilovav » 03 Sep 2010, 18:32

cris978 wrote:I'm trying to connect from outside (here in my office). The Clavister is located in the office of my client.
Aha... Seems strange why drop to 192.168.0.1. Is it SG's lan_ip?
Show params of PPTP server.
BR, Alexandr Danilov

cris978
Posts: 9
Joined: 19 Feb 2009, 23:07

Re: PPTP Problem

Post by cris978 » 08 Sep 2010, 11:01

192.168.0.1 is the SG's ip_wan

I have the same configuration in other Clavister, which work without problems.
The PPTP VPN is setting as the how-to found in this site.

PPTP_pool 192.168.1.120 - 192.168.1.150
ip_lan 192.168.1.1
ip_wan 192.168.0.1

There is a local user database

PPTP Server:
name - PPTP_tunnel
inner ip - ip_lan
tunnel protocol - PPTP
outer interface filter - any
outer server ip - ip_wan

pptp parameters as the how-to (IP POOL = pptp_pool)

proxy ARP as the how-to

there is user authentication rules (as the guide)

and there are two main rules (allow and nat)


PPP_PPTPBeforeRules is set


I only changed the hardware (with hardware replacement service), configuration and core are the same (before PPTP VPN worked)

Now, only the L2TP IPSEC VPN works....


Why? I can not understand why..

danilovav
Posts: 181
Joined: 10 May 2009, 08:16
Location: Moscow, Russia
Contact:

Re: PPTP Problem

Post by danilovav » 08 Sep 2010, 18:43

Do you still see ruleset_drop_packet messages about PPTP-CTL ?
BR, Alexandr Danilov

cris978
Posts: 9
Joined: 19 Feb 2009, 23:07

Re: PPTP Problem

Post by cris978 » 09 Sep 2010, 00:29

Yes the error is always the same (and the only one I could find):

DropAll Notice RULE ruleset_drop_packet drop wan:82.xx.xx.xx:51619 192.168.0.1:1723 TCP

I tried the L2TP IPSEC (as the how-to) and works

The PPTP (as the how-to) works with many other Clavister

Peter
Posts: 690
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: PPTP Problem

Post by Peter » 14 Sep 2010, 10:37

Hello.

Some questions.

1. Are you using traffic shaping on this node?

2. Is it a continuous problem or does it start to happen after awhile? I.e after a reboot it works fine for a few days / attempts and then the problem starts.

3. When this problem occur, does the listening connection for the PPTP server exist? You can check this by using the console command "conn -destport 1723 -verbose". It should look something like this:

Code: Select all

TCP_NEW  TCP     core:0.0.0.0:0              core:192.168.1.40:1723      50
        ...term: core:0.0.0.0:0              core:192.168.1.40:1723      50
Best regards
/Peter

Post Reply