Denis, Matus found the issue with hairpinning. Merged fix in https://gerrit.fd.io/r/#/c/7200/ Please let me know if that also fixes this issue.
We'll do some better handling of fall-back to 3-tuple keys for normal NAPT mode, so we can support PPTP without configuring 1:1. Hold tight. https://jira.fd.io/browse/VPP-884 Best regards, Ole > On 20 Jun 2017, at 10:31, Denis Lotarev <dlota...@yahoo.com> wrote: > > Ole, so sorry, we are explored network problem in our infrastructure due > testing with parallel connection to PPTP server B and PPTP server C. > So 2nd scheme works well :) Sorry for my mismatch. > But hairpining not working in 3rd scheme. I dumped traffic from Machine A, > when Machine B trying to connect. > Machine A 1.1.10.20 (private ip) > Machine B 2.2.2.2 (public ip) > > IP (tos 0x0, ttl 127, id 31202, offset 0, flags [DF], proto TCP (6), length > 52) > 2.2.2.2.44681 > 1.1.10.20.1723: Flags [S], cksum 0x1ef8 (correct), seq > 1560475197, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 > IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) > 1.1.10.20.1723 > 2.2.2.2.44681: Flags [S.], cksum 0x27ba (incorrect -> > 0x66f3), seq 3141773982, ack 1560475198, win 29200, options [mss > 1460,nop,nop,sackOK,nop,wscale 9], length 0 > IP (tos 0x0, ttl 127, id 31203, offset 0, flags [DF], proto TCP (6), length > 40) > 2.2.2.2.44681 > 1.1.10.20.1723: Flags [.], cksum 0x18d8 (correct), seq 1, > ack 1, win 256, length 0 > IP (tos 0x0, ttl 127, id 31204, offset 0, flags [DF], proto TCP (6), length > 196) > 2.2.2.2.44681 > 1.1.10.20.1723: Flags [P.], cksum 0xbc65 (correct), seq > 1:157, ack 1, win 256, length 156: pptp Length=156 CTRL-MSG > Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) > BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(0) HOSTNAME() VENDOR(Microsoft) > IP (tos 0x0, ttl 64, id 40126, offset 0, flags [DF], proto TCP (6), length 40) > 1.1.10.20.1723 > 2.2.2.2.44681: Flags [.], cksum 0x27ae (incorrect -> > 0x1900), seq 1, ack 157, win 60, length 0 > IP (tos 0x0, ttl 64, id 40127, offset 0, flags [DF], proto TCP (6), length > 196) > 1.1.10.20.1723 > 2.2.2.2.44681: Flags [P.], cksum 0x284a (incorrect -> > 0x3092), seq 1:157, ack 157, win 60, length 156: pptp Length=156 CTRL-MSG > Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) > RESULT_CODE(1:Successful channel establishment) ERR_CODE(0:None) FRAME_CAP() > BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(linux) > IP (tos 0x0, ttl 127, id 31205, offset 0, flags [DF], proto TCP (6), length > 208) > 2.2.2.2.44681 > 1.1.10.20.1723: Flags [P.], cksum 0x621c (correct), seq > 157:325, ack 157, win 256, length 168: pptp Length=168 CTRL-MSG > Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRQ CALL_ID(29999) CALL_SER_NUM(20) > MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) > PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR() > IP (tos 0x0, ttl 64, id 40128, offset 0, flags [DF], proto TCP (6), length 72) > 1.1.10.20.1723 > 2.2.2.2.44681: Flags [P.], cksum 0x27ce (incorrect -> > 0x568b), seq 157:189, ack 325, win 62, length 32: pptp Length=32 CTRL-MSG > Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRP CALL_ID(3328) PEER_CALL_ID(29999) > RESULT_CODE(1:Connected) ERR_CODE(0:None) CAUSE_CODE(0) CONN_SPEED(100000000) > RECV_WIN(64) PROC_DELAY(0) PHY_CHAN_ID(0) > IP (tos 0x0, ttl 127, id 31206, offset 0, flags [DF], proto TCP (6), length > 64) > 2.2.2.2.44681 > 1.1.10.20.1723: Flags [P.], cksum 0xb318 (correct), seq > 325:349, ack 189, win 255, length 24: pptp Length=24 CTRL-MSG > Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SLI PEER_CALL_ID(3328) > SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff) > IP (tos 0x0, ttl 64, id 61692, offset 0, flags [DF], proto GRE (47), length > 61) > 1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call > 29999, seq 0, length 41 > LCP, Conf-Request (0x01), id 1, length 27 > encoded length 25 (=Option(s) length 21) > 0x0000: c021 0101 0019 > ACCM Option (0x02), length 6: 0x00000000 > 0x0000: 0000 0000 > Auth-Prot Option (0x03), length 5: CHAP, MD5 > 0x0000: c223 05 > Magic-Num Option (0x05), length 6: 0x2afe416c > 0x0000: 2afe 416c > PFC Option (0x07), length 2 > ACFC Option (0x08), length 2 > IP (tos 0x0, ttl 64, id 40129, offset 0, flags [DF], proto TCP (6), length 40) > 1.1.10.20.1723 > 2.2.2.2.44681: Flags [.], cksum 0x27ae (incorrect -> > 0x1782), seq 189, ack 349, win 62, length 0 > IP (tos 0x0, ttl 64, id 61817, offset 0, flags [DF], proto GRE (47), length > 61) > 1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call > 29999, seq 1, length 41 > LCP, Conf-Request (0x01), id 1, length 27 > encoded length 25 (=Option(s) length 21) > 0x0000: c021 0101 0019 > ACCM Option (0x02), length 6: 0x00000000 > 0x0000: 0000 0000 > Auth-Prot Option (0x03), length 5: CHAP, MD5 > 0x0000: c223 05 > Magic-Num Option (0x05), length 6: 0x2afe416c > 0x0000: 2afe 416c > PFC Option (0x07), length 2 > ACFC Option (0x08), length 2 > IP (tos 0x0, ttl 64, id 61979, offset 0, flags [DF], proto GRE (47), length > 61) > 1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call > 29999, seq 2, length 41 > LCP, Conf-Request (0x01), id 1, length 27 > encoded length 25 (=Option(s) length 21) > 0x0000: c021 0101 0019 > ACCM Option (0x02), length 6: 0x00000000 > 0x0000: 0000 0000 > Auth-Prot Option (0x03), length 5: CHAP, MD5 > 0x0000: c223 05 > Magic-Num Option (0x05), length 6: 0x2afe416c > 0x0000: 2afe 416c > PFC Option (0x07), length 2 > ACFC Option (0x08), length 2 > IP (tos 0x0, ttl 64, id 62256, offset 0, flags [DF], proto GRE (47), length > 61) > 1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call > 29999, seq 3, length 41 > LCP, Conf-Request (0x01), id 1, length 27 > encoded length 25 (=Option(s) length 21) > 0x0000: c021 0101 0019 > ACCM Option (0x02), length 6: 0x00000000 > 0x0000: 0000 0000 > Auth-Prot Option (0x03), length 5: CHAP, MD5 > 0x0000: c223 05 > Magic-Num Option (0x05), length 6: 0x2afe416c > 0x0000: 2afe 416c > PFC Option (0x07), length 2 > ACFC Option (0x08), length 2 > IP (tos 0x0, ttl 64, id 62278, offset 0, flags [DF], proto GRE (47), length > 61) > 1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call > 29999, seq 4, length 41 > LCP, Conf-Request (0x01), id 1, length 27 > encoded length 25 (=Option(s) length 21) > 0x0000: c021 0101 0019 > ACCM Option (0x02), length 6: 0x00000000 > 0x0000: 0000 0000 > Auth-Prot Option (0x03), length 5: CHAP, MD5 > 0x0000: c223 05 > Magic-Num Option (0x05), length 6: 0x2afe416c > 0x0000: 2afe 416c > PFC Option (0x07), length 2 > ACFC Option (0x08), length 2 > IP (tos 0x0, ttl 64, id 62571, offset 0, flags [DF], proto GRE (47), length > 61) > 1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call > 29999, seq 5, length 41 > LCP, Conf-Request (0x01), id 1, length 27 > encoded length 25 (=Option(s) length 21) > 0x0000: c021 0101 0019 > ACCM Option (0x02), length 6: 0x00000000 > 0x0000: 0000 0000 > Auth-Prot Option (0x03), length 5: CHAP, MD5 > 0x0000: c223 05 > Magic-Num Option (0x05), length 6: 0x2afe416c > 0x0000: 2afe 416c > PFC Option (0x07), length 2 > ACFC Option (0x08), length 2 > IP (tos 0x0, ttl 64, id 62863, offset 0, flags [DF], proto GRE (47), length > 61) > 1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call > 29999, seq 6, length 41 > LCP, Conf-Request (0x01), id 1, length 27 > encoded length 25 (=Option(s) length 21) > 0x0000: c021 0101 0019 > ACCM Option (0x02), length 6: 0x00000000 > 0x0000: 0000 0000 > Auth-Prot Option (0x03), length 5: CHAP, MD5 > 0x0000: c223 05 > Magic-Num Option (0x05), length 6: 0x2afe416c > 0x0000: 2afe 416c > PFC Option (0x07), length 2 > ACFC Option (0x08), length 2 > IP (tos 0x0, ttl 64, id 63025, offset 0, flags [DF], proto GRE (47), length > 61) > 1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call > 29999, seq 7, length 41 > LCP, Conf-Request (0x01), id 1, length 27 > encoded length 25 (=Option(s) length 21) > 0x0000: c021 0101 0019 > ACCM Option (0x02), length 6: 0x00000000 > 0x0000: 0000 0000 > Auth-Prot Option (0x03), length 5: CHAP, MD5 > 0x0000: c223 05 > Magic-Num Option (0x05), length 6: 0x2afe416c > 0x0000: 2afe 416c > PFC Option (0x07), length 2 > ACFC Option (0x08), length 2 > IP (tos 0x0, ttl 64, id 63100, offset 0, flags [DF], proto GRE (47), length > 61) > 1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call > 29999, seq 8, length 41 > LCP, Conf-Request (0x01), id 1, length 27 > encoded length 25 (=Option(s) length 21) > 0x0000: c021 0101 0019 > ACCM Option (0x02), length 6: 0x00000000 > 0x0000: 0000 0000 > Auth-Prot Option (0x03), length 5: CHAP, MD5 > 0x0000: c223 05 > Magic-Num Option (0x05), length 6: 0x2afe416c > 0x0000: 2afe 416c > PFC Option (0x07), length 2 > ACFC Option (0x08), length 2 > IP (tos 0x0, ttl 64, id 63277, offset 0, flags [DF], proto GRE (47), length > 61) > 1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call > 29999, seq 9, length 41 > LCP, Conf-Request (0x01), id 1, length 27 > encoded length 25 (=Option(s) length 21) > 0x0000: c021 0101 0019 > ACCM Option (0x02), length 6: 0x00000000 > 0x0000: 0000 0000 > Auth-Prot Option (0x03), length 5: CHAP, MD5 > 0x0000: c223 05 > Magic-Num Option (0x05), length 6: 0x2afe416c > 0x0000: 2afe 416c > PFC Option (0x07), length 2 > ACFC Option (0x08), length 2 > IP (tos 0x0, ttl 64, id 40130, offset 0, flags [DF], proto TCP (6), length 40) > 1.1.10.20.1723 > 2.2.2.2.44681: Flags [F.], cksum 0x27ae (incorrect -> > 0x1781), seq 189, ack 349, win 62, length 0 > IP (tos 0x0, ttl 127, id 31216, offset 0, flags [DF], proto TCP (6), length > 40) > 2.2.2.2.44681 > 1.1.10.20.1723: Flags [.], cksum 0x16c0 (correct), seq > 349, ack 190, win 255, length 0 > IP (tos 0x0, ttl 127, id 31217, offset 0, flags [DF], proto TCP (6), length > 40) > 2.2.2.2.44681 > 1.1.10.20.1723: Flags [F.], cksum 0x16bf (correct), seq > 349, ack 190, win 255, length 0 > IP (tos 0x0, ttl 64, id 14146, offset 0, flags [DF], proto TCP (6), length 40) > 1.1.10.20.1723 > 2.2.2.2.44681: Flags [.], cksum 0x1780 (correct), seq > 190, ack 350, win 62, length 0 > > > > > -- > Yours sincerely, > Denis Lotarev > > > > ________________________________ > On Tuesday, June 20, 2017, 12:13:13 PM GMT+5, Ole Troan > <otr...@employees.org> wrote: > > > Hi Denis, > > Thanks a lot for testing! > > > 1st scheme: > > Machine A (inside VPP with 1:1 static mapping) running PPTP _server_. > > Machine B (outside VPP with 1:1 iptables static mapping) running PPTP > > client. This scheme works well. > > Splendid. > > > 2st scheme: > > Machine A (inside VPP with 1:1 static mapping) running PPTP _client_. > > Machine B (outside VPP with public ip) as hardware PPTP server. This scheme > > works well. But only one session allowed. If we are create second > > connection from Machine A to Machine C (outside VPP with public ip) this > > will not work. > > OFC this is not required. > > Hmm... that seems like a bug. Let's see if we can reproduce. The NAT session > entry is indexed on the outside by SA, DA and IP protocol so this should have > worked. > > > 3st scheme: > > Machine A (inside VPP with 1:1 static mapping) running PPTP _server_. > > Machine B (inside VPP with 1:1 static mapping) running PPTP _client_. > > Maching B cannot connect to Machine A. This may cover hairpin nat issue. > > OFC this machines can doing connection via local addressing and it will be > > work. > > Same here. This should work. Let's figure this one out too. > > > > BTW, we are not testing yet technology when we SNAT two pptp clients in > > iptables mechanism (and those clients snatt (-ing) with one public address). > > Best regards, > Ole
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
