Ole, so sorry, we are explored network problem in our infrastructure due
testing with parallel connection to PPTP server B and PPTP server C.
So 2nd scheme works well :) Sorry for my mismatch.But hairpining not working in
3rd scheme. I dumped traffic from Machine A, when Machine B trying to
connect.Machine A 1.1.10.20 (private ip)Machine B 2.2.2.2 (public ip)
IP (tos 0x0, ttl 127, id 31202, offset 0, flags [DF], proto TCP (6), length 52)
2.2.2.2.44681 > 1.1.10.20.1723: Flags [S], cksum 0x1ef8 (correct), seq
1560475197, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
1.1.10.20.1723 > 2.2.2.2.44681: Flags [S.], cksum 0x27ba (incorrect ->
0x66f3), seq 3141773982, ack 1560475198, win 29200, options [mss
1460,nop,nop,sackOK,nop,wscale 9], length 0
IP (tos 0x0, ttl 127, id 31203, offset 0, flags [DF], proto TCP (6), length 40)
2.2.2.2.44681 > 1.1.10.20.1723: Flags [.], cksum 0x18d8 (correct), seq 1,
ack 1, win 256, length 0
IP (tos 0x0, ttl 127, id 31204, offset 0, flags [DF], proto TCP (6), length 196)
2.2.2.2.44681 > 1.1.10.20.1723: Flags [P.], cksum 0xbc65 (correct), seq
1:157, ack 1, win 256, length 156: pptp Length=156 CTRL-MSG
Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A)
BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(0) HOSTNAME() VENDOR(Microsoft)
IP (tos 0x0, ttl 64, id 40126, offset 0, flags [DF], proto TCP (6), length 40)
1.1.10.20.1723 > 2.2.2.2.44681: Flags [.], cksum 0x27ae (incorrect ->
0x1900), seq 1, ack 157, win 60, length 0
IP (tos 0x0, ttl 64, id 40127, offset 0, flags [DF], proto TCP (6), length 196)
1.1.10.20.1723 > 2.2.2.2.44681: Flags [P.], cksum 0x284a (incorrect ->
0x3092), seq 1:157, ack 157, win 60, length 156: pptp Length=156 CTRL-MSG
Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRP PROTO_VER(1.0)
RESULT_CODE(1:Successful channel establishment) ERR_CODE(0:None) FRAME_CAP()
BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(linux)
IP (tos 0x0, ttl 127, id 31205, offset 0, flags [DF], proto TCP (6), length 208)
2.2.2.2.44681 > 1.1.10.20.1723: Flags [P.], cksum 0x621c (correct), seq
157:325, ack 157, win 256, length 168: pptp Length=168 CTRL-MSG
Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRQ CALL_ID(29999) CALL_SER_NUM(20)
MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64)
PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR()
IP (tos 0x0, ttl 64, id 40128, offset 0, flags [DF], proto TCP (6), length 72)
1.1.10.20.1723 > 2.2.2.2.44681: Flags [P.], cksum 0x27ce (incorrect ->
0x568b), seq 157:189, ack 325, win 62, length 32: pptp Length=32 CTRL-MSG
Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRP CALL_ID(3328) PEER_CALL_ID(29999)
RESULT_CODE(1:Connected) ERR_CODE(0:None) CAUSE_CODE(0) CONN_SPEED(100000000)
RECV_WIN(64) PROC_DELAY(0) PHY_CHAN_ID(0)
IP (tos 0x0, ttl 127, id 31206, offset 0, flags [DF], proto TCP (6), length 64)
2.2.2.2.44681 > 1.1.10.20.1723: Flags [P.], cksum 0xb318 (correct), seq
325:349, ack 189, win 255, length 24: pptp Length=24 CTRL-MSG
Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SLI PEER_CALL_ID(3328) SEND_ACCM(0xffffffff)
RECV_ACCM(0xffffffff)
IP (tos 0x0, ttl 64, id 61692, offset 0, flags [DF], proto GRE (47), length 61)
1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call
29999, seq 0, length 41
LCP, Conf-Request (0x01), id 1, length 27
encoded length 25 (=Option(s) length 21)
0x0000: c021 0101 0019
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Auth-Prot Option (0x03), length 5: CHAP, MD5
0x0000: c223 05
Magic-Num Option (0x05), length 6: 0x2afe416c
0x0000: 2afe 416c
PFC Option (0x07), length 2
ACFC Option (0x08), length 2
IP (tos 0x0, ttl 64, id 40129, offset 0, flags [DF], proto TCP (6), length 40)
1.1.10.20.1723 > 2.2.2.2.44681: Flags [.], cksum 0x27ae (incorrect ->
0x1782), seq 189, ack 349, win 62, length 0
IP (tos 0x0, ttl 64, id 61817, offset 0, flags [DF], proto GRE (47), length 61)
1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call
29999, seq 1, length 41
LCP, Conf-Request (0x01), id 1, length 27
encoded length 25 (=Option(s) length 21)
0x0000: c021 0101 0019
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Auth-Prot Option (0x03), length 5: CHAP, MD5
0x0000: c223 05
Magic-Num Option (0x05), length 6: 0x2afe416c
0x0000: 2afe 416c
PFC Option (0x07), length 2
ACFC Option (0x08), length 2
IP (tos 0x0, ttl 64, id 61979, offset 0, flags [DF], proto GRE (47), length 61)
1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call
29999, seq 2, length 41
LCP, Conf-Request (0x01), id 1, length 27
encoded length 25 (=Option(s) length 21)
0x0000: c021 0101 0019
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Auth-Prot Option (0x03), length 5: CHAP, MD5
0x0000: c223 05
Magic-Num Option (0x05), length 6: 0x2afe416c
0x0000: 2afe 416c
PFC Option (0x07), length 2
ACFC Option (0x08), length 2
IP (tos 0x0, ttl 64, id 62256, offset 0, flags [DF], proto GRE (47), length 61)
1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call
29999, seq 3, length 41
LCP, Conf-Request (0x01), id 1, length 27
encoded length 25 (=Option(s) length 21)
0x0000: c021 0101 0019
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Auth-Prot Option (0x03), length 5: CHAP, MD5
0x0000: c223 05
Magic-Num Option (0x05), length 6: 0x2afe416c
0x0000: 2afe 416c
PFC Option (0x07), length 2
ACFC Option (0x08), length 2
IP (tos 0x0, ttl 64, id 62278, offset 0, flags [DF], proto GRE (47), length 61)
1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call
29999, seq 4, length 41
LCP, Conf-Request (0x01), id 1, length 27
encoded length 25 (=Option(s) length 21)
0x0000: c021 0101 0019
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Auth-Prot Option (0x03), length 5: CHAP, MD5
0x0000: c223 05
Magic-Num Option (0x05), length 6: 0x2afe416c
0x0000: 2afe 416c
PFC Option (0x07), length 2
ACFC Option (0x08), length 2
IP (tos 0x0, ttl 64, id 62571, offset 0, flags [DF], proto GRE (47), length 61)
1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call
29999, seq 5, length 41
LCP, Conf-Request (0x01), id 1, length 27
encoded length 25 (=Option(s) length 21)
0x0000: c021 0101 0019
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Auth-Prot Option (0x03), length 5: CHAP, MD5
0x0000: c223 05
Magic-Num Option (0x05), length 6: 0x2afe416c
0x0000: 2afe 416c
PFC Option (0x07), length 2
ACFC Option (0x08), length 2
IP (tos 0x0, ttl 64, id 62863, offset 0, flags [DF], proto GRE (47), length 61)
1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call
29999, seq 6, length 41
LCP, Conf-Request (0x01), id 1, length 27
encoded length 25 (=Option(s) length 21)
0x0000: c021 0101 0019
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Auth-Prot Option (0x03), length 5: CHAP, MD5
0x0000: c223 05
Magic-Num Option (0x05), length 6: 0x2afe416c
0x0000: 2afe 416c
PFC Option (0x07), length 2
ACFC Option (0x08), length 2
IP (tos 0x0, ttl 64, id 63025, offset 0, flags [DF], proto GRE (47), length 61)
1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call
29999, seq 7, length 41
LCP, Conf-Request (0x01), id 1, length 27
encoded length 25 (=Option(s) length 21)
0x0000: c021 0101 0019
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Auth-Prot Option (0x03), length 5: CHAP, MD5
0x0000: c223 05
Magic-Num Option (0x05), length 6: 0x2afe416c
0x0000: 2afe 416c
PFC Option (0x07), length 2
ACFC Option (0x08), length 2
IP (tos 0x0, ttl 64, id 63100, offset 0, flags [DF], proto GRE (47), length 61)
1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call
29999, seq 8, length 41
LCP, Conf-Request (0x01), id 1, length 27
encoded length 25 (=Option(s) length 21)
0x0000: c021 0101 0019
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Auth-Prot Option (0x03), length 5: CHAP, MD5
0x0000: c223 05
Magic-Num Option (0x05), length 6: 0x2afe416c
0x0000: 2afe 416c
PFC Option (0x07), length 2
ACFC Option (0x08), length 2
IP (tos 0x0, ttl 64, id 63277, offset 0, flags [DF], proto GRE (47), length 61)
1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call
29999, seq 9, length 41
LCP, Conf-Request (0x01), id 1, length 27
encoded length 25 (=Option(s) length 21)
0x0000: c021 0101 0019
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Auth-Prot Option (0x03), length 5: CHAP, MD5
0x0000: c223 05
Magic-Num Option (0x05), length 6: 0x2afe416c
0x0000: 2afe 416c
PFC Option (0x07), length 2
ACFC Option (0x08), length 2
IP (tos 0x0, ttl 64, id 40130, offset 0, flags [DF], proto TCP (6), length 40)
1.1.10.20.1723 > 2.2.2.2.44681: Flags [F.], cksum 0x27ae (incorrect ->
0x1781), seq 189, ack 349, win 62, length 0
IP (tos 0x0, ttl 127, id 31216, offset 0, flags [DF], proto TCP (6), length 40)
2.2.2.2.44681 > 1.1.10.20.1723: Flags [.], cksum 0x16c0 (correct), seq 349,
ack 190, win 255, length 0
IP (tos 0x0, ttl 127, id 31217, offset 0, flags [DF], proto TCP (6), length 40)
2.2.2.2.44681 > 1.1.10.20.1723: Flags [F.], cksum 0x16bf (correct), seq
349, ack 190, win 255, length 0
IP (tos 0x0, ttl 64, id 14146, offset 0, flags [DF], proto TCP (6), length 40)
1.1.10.20.1723 > 2.2.2.2.44681: Flags [.], cksum 0x1780 (correct), seq 190,
ack 350, win 62, length 0
--
Yours sincerely,
Denis Lotarev
________________________________
On Tuesday, June 20, 2017, 12:13:13 PM GMT+5, Ole Troan <otr...@employees.org>
wrote:
Hi Denis,
Thanks a lot for testing!
> 1st scheme:
> Machine A (inside VPP with 1:1 static mapping) running PPTP _server_.
> Machine B (outside VPP with 1:1 iptables static mapping) running PPTP client.
> This scheme works well.
Splendid.
> 2st scheme:
> Machine A (inside VPP with 1:1 static mapping) running PPTP _client_.
> Machine B (outside VPP with public ip) as hardware PPTP server. This scheme
> works well. But only one session allowed. If we are create second connection
> from Machine A to Machine C (outside VPP with public ip) this will not work.
> OFC this is not required.
Hmm... that seems like a bug. Let's see if we can reproduce. The NAT session
entry is indexed on the outside by SA, DA and IP protocol so this should have
worked.
> 3st scheme:
> Machine A (inside VPP with 1:1 static mapping) running PPTP _server_.
> Machine B (inside VPP with 1:1 static mapping) running PPTP _client_.
> Maching B cannot connect to Machine A. This may cover hairpin nat issue.
> OFC this machines can doing connection via local addressing and it will be
> work.
Same here. This should work. Let's figure this one out too.
> BTW, we are not testing yet technology when we SNAT two pptp clients in
> iptables mechanism (and those clients snatt (-ing) with one public address).
Best regards,
Ole
_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
