Re: Confused by pptp and gre, what is the true way to do it?

Gabriele Bulfon Thu, 11 Nov 2010 04:07:08 -0800
After tricking with rules (modified the pass out / pass in of gre as "from any 
to any") now
I can see reply gre packet going out of the win machine, go through the 
firewall and out
of the wan to the remote machine.
Authentication fails anyway (it goes perfectly when not passint through 
ipfilter, both when
directly public or when passing through a zywall, but...I want it to go through 
ipfilter!)
How can I see if the packets are correctly masquerated?
Here are the two snoops:
-LAN interface-
remoteserverip -winlanip TCP D=4472 S=1723 Syn Ack=3520565303 Seq=1081340933 
Len=0 Win=5840 Options=
remoteserverip -winlanip TCP D=4472 S=1723 Ack=3520565459 Seq=1081340934 Len=0 
Win=5840
remoteserverip -winlanip TCP D=4472 S=1723 Push Ack=3520565459 Seq=1081340934 
Len=156 Win=5840
remoteserverip -winlanip TCP D=4472 S=1723 Push Ack=3520565627 Seq=1081341090 
Len=32 Win=6432
remoteserverip -winlanip IP  D=winlanip S=remoteserverip LEN=61, ID=49052, 
TOS=0x0, TTL=52
remoteserverip -winlanip TCP D=4472 S=1723 Ack=3520565651 Seq=1081341122 Len=0 
Win=6432
remoteserverip -winlanip IP  D=winlanip S=remoteserverip LEN=61, ID=49053, 
TOS=0x0, TTL=52
remoteserverip -winlanip IP  D=winlanip S=remoteserverip LEN=61, ID=49054, 
TOS=0x0, TTL=52
remoteserverip -winlanip IP  D=winlanip S=remoteserverip LEN=61, ID=49055, 
TOS=0x0, TTL=52
remoteserverip -winlanip IP  D=winlanip S=remoteserverip LEN=61, ID=49056, 
TOS=0x0, TTL=52
remoteserverip -winlanip IP  D=winlanip S=remoteserverip LEN=61, ID=49057, 
TOS=0x0, TTL=52
remoteserverip -winlanip IP  D=winlanip S=remoteserverip LEN=61, ID=49058, 
TOS=0x0, TTL=52
remoteserverip -winlanip IP  D=winlanip S=remoteserverip LEN=61, ID=49059, 
TOS=0x0, TTL=52
remoteserverip -winlanip IP  D=winlanip S=remoteserverip LEN=61, ID=49060, 
TOS=0x0, TTL=52
remoteserverip -winlanip IP  D=winlanip S=remoteserverip LEN=61, ID=49061, 
TOS=0x0, TTL=52
remoteserverip -winlanip TCP D=4472 S=1723 Fin Ack=3520565651 Seq=1081341122 
Len=0 Win=6432
remoteserverip -winlanip TCP D=4472 S=1723 Ack=3520565652 Seq=1081341123 Len=0 
Win=6432
-WAN interface-
wanip -remoteserverip TCP D=1723 S=19463 Syn Seq=3520565302 Len=0 Win=64240 
Options=
remoteserverip -wanip     TCP D=19463 S=1723 Syn Ack=3520565303 Seq=1081340933 
Len=0 Win=5840 Options=
wanip -remoteserverip TCP D=1723 S=19463 Ack=1081340934 Seq=3520565303 Len=0 
Win=64240
wanip -remoteserverip TCP D=1723 S=19463 Push Ack=1081340934 Seq=3520565303 
Len=156 Win=64240
remoteserverip -wanip     TCP D=19463 S=1723 Ack=3520565459 Seq=1081340934 
Len=0 Win=5840
remoteserverip -wanip     TCP D=19463 S=1723 Push Ack=3520565459 Seq=1081340934 
Len=156 Win=5840
wanip -remoteserverip TCP D=1723 S=19463 Push Ack=1081341090 Seq=3520565459 
Len=168 Win=64084
remoteserverip -wanip     TCP D=19463 S=1723 Push Ack=3520565627 Seq=1081341090 
Len=32 Win=6432
remoteserverip -wanip     IP  D=wanip S=remoteserverip LEN=61, ID=49052, 
TOS=0x0, TTL=53
wanip -remoteserverip TCP D=1723 S=19463 Push Ack=1081341122 Seq=3520565627 
Len=24 Win=64052
wanip -remoteserverip IP  D=remoteserverip S=wanip LEN=57, ID=25178, TOS=0x0, 
TTL=127
remoteserverip -wanip     TCP D=19463 S=1723 Ack=3520565651 Seq=1081341122 
Len=0 Win=6432
wanip -remoteserverip IP  D=remoteserverip S=wanip LEN=57, ID=20698, TOS=0x0, 
TTL=127
remoteserverip -wanip     IP  D=wanip S=remoteserverip LEN=61, ID=49053, 
TOS=0x0, TTL=53
wanip -remoteserverip IP  D=remoteserverip S=wanip LEN=57, ID=29457, TOS=0x0, 
TTL=127
remoteserverip -wanip     IP  D=wanip S=remoteserverip LEN=61, ID=49054, 
TOS=0x0, TTL=53
wanip -remoteserverip IP  D=remoteserverip S=wanip LEN=57, ID=9153, TOS=0x0, 
TTL=127
remoteserverip -wanip     IP  D=wanip S=remoteserverip LEN=61, ID=49055, 
TOS=0x0, TTL=53
remoteserverip -wanip     IP  D=wanip S=remoteserverip LEN=61, ID=49056, 
TOS=0x0, TTL=53
wanip -remoteserverip IP  D=remoteserverip S=wanip LEN=57, ID=1984, TOS=0x0, 
TTL=127
remoteserverip -wanip     IP  D=wanip S=remoteserverip LEN=61, ID=49057, 
TOS=0x0, TTL=53
wanip -remoteserverip IP  D=remoteserverip S=wanip LEN=57, ID=671, TOS=0x0, 
TTL=127
remoteserverip -wanip     IP  D=wanip S=remoteserverip LEN=61, ID=49058, 
TOS=0x0, TTL=53
wanip -remoteserverip IP  D=remoteserverip S=wanip LEN=57, ID=14495, TOS=0x0, 
TTL=127
remoteserverip -wanip     IP  D=wanip S=remoteserverip LEN=61, ID=49059, 
TOS=0x0, TTL=53
wanip -remoteserverip IP  D=remoteserverip S=wanip LEN=57, ID=19126, TOS=0x0, 
TTL=127
remoteserverip -wanip     IP  D=wanip S=remoteserverip LEN=61, ID=49060, 
TOS=0x0, TTL=53
remoteserverip -wanip     IP  D=wanip S=remoteserverip LEN=61, ID=49061, 
TOS=0x0, TTL=53
wanip -remoteserverip IP  D=remoteserverip S=wanip LEN=57, ID=5577, TOS=0x0, 
TTL=127
remoteserverip -wanip     TCP D=19463 S=1723 Fin Ack=3520565651 Seq=1081341122 
Len=0 Win=6432
wanip -remoteserverip TCP D=1723 S=19463 Fin Ack=1081341123 Seq=3520565651 
Len=0 Win=64052
remoteserverip -wanip     TCP D=19463 S=1723 Ack=3520565652 Seq=1081341123 
Len=0 Win=6432
-= Mail sent through WebTop2 =-
Da:
Gabriele Bulfon
A:
[email protected]
Data:
11 novembre 2010 12.17.55 CET
Oggetto:
Re: Confused by pptp and gre, what is the true way to do it?
Hello, I investigated further the problem.
Using 2 snoops, one on each ethernet card (public and private), I can see 
traffic on 1732 started
by my internal win machine, the I can see the reply on that port coming to my 
wan, then to my lan
up to the win machine.
After, I just can see packets coming from the remote machine (stated as IP, but 
probably gre),
getting into the firewall and going into the lan up to the win machine.
No packet is going from the win machine on any destination.
Maybe the gre traffic is not correctly natted? Does ipfilter do masquerading on 
gre?
Gabriele.
-= Mail sent through WebTop2 =-
Da:
Gabriele Bulfon
A:
[email protected]
Data:
10 novembre 2010 17.02.22 CET
Oggetto:
Confused by pptp and gre, what is the true way to do it?
Hello, I've read around about how to make windows pptp vpn work behind 
ipfilter, but I've seen
a lot of confusion...(to me, at least).
My windows machine is in the LAN, passing through a solaris machine with 
ipfilter 4.1.9.
What are the general rules to let Windows pass the NAT and run the handshake?
Some talks about proxy / pptp rules mappings, some talks about just opening the 
ports...
I tried this but it doesn't work:
ipnat:
#NAT rules
map igb1 mylan/24 -mypubip/32 proxy port ftp ftp/tcp
map igb1 mylan/24 -mypubip/32 portmap tcp/udp 10000:40000
map igb1 mylan/24 -mypubip/32
#redirect gre to my windows machine
rdr igb1 mypubip/32 -winlanip gre
ipf:
#NAT windows machine
pass out quick on igb1 from mywinip/32 to any keep state
#Let gre enter the firewall
pass in quick on igb1 proto gre from any to mypubip/32
#Let gre pass the rdr
pass in quick on igb1 proto gre from any to winlanip/32
-= Mail sent through WebTop2 =-
Re: Confused by pptp and gre, what is the true way to do it?

Reply via email to
