Cannot Connect PPTP VPN

myjunkman

I'm not sure if this helps, but I rolled back to the previous release and my PPTP client passthru is now fully operational.  Here's the last known working release that worked for me:

Current version: 2.0-BETA4 - Built On: Wed Oct 20 06:03:46 EDT 2010

acherman

haha  Nope, I don't think that helps - my original version that was broken was pfSense-2.0-BETA4-20101018-1506.  I will try to move to your working version and see what happens…

acherman

Downgraded to the same build you mention, and my clients can connect now, but can't seem to pass any traffic.

I finished messing around the OpenVPN, and while the setup of the server seems a little daunting, the client installs are super easy when you use the Client Export package.  Now I need to figure out how to add connections (servers) to the client without having to run the whole OpenVPN installer from the new server…

mikesamo

same here

sometimes i get bad hdr on the 1723 connection sometimes not but it never plug

00:00:00.040958 rule 46/0(match): pass in on rl1: 1.2.3.4.53172 > 4.3.2.1.1723:  tcp 32 [bad hdr length 0 - too short, < 20]
00:00:00.258970 rule 46/0(match): pass in on rl1: 1.2.3.4 > 4.3.2.1: GREv1, call 1139, seq 0, proto PPP (0x880b), length 37: [|ppp]<

Ozzik

Hi,
I have the same bug, but in my case I managed to solve it.
I have a setup at home, where only one machine (Win7) has to connect via PPTP VPN.
So I did port forwarding, where anything that goes to PPTP port (TCP/1723) and GRE - goes to the Win7 machine. Firewall rules were added automatically upon the creation of those.

Also, I had to enable the built-in Win7 firewall rules: allow GRE-In and allow PPTP-In.
The VPN works.
Before that I had a 1.2.2 version and everything worked fine. All these steps are new.

Maybe this will lead you to the the solution.

P.S. I'm on the October 29-th snapshot.

CryoGenID

Great workaround, thanks  :D :D :D

I just had to add the two rules inside pfsense, didn't have to do anything on my Win7-Client…

It works now  :)

Hopefully the bug will be resolved soon, then I can remove the rules again...

Thanks and best regards,

Chris

safetynet

Hi,

thanks for the info and the suggested workaround, not gonna work for me though as we have multiple PC's initiating PPTP connections to different PPTP servers throughout the day.

Before anyone says anything about the known bug with multiple connections to the same PPTP server not working, this IS NOT the same issue - we can't connect a single client to an external PPTP server, never mind multiple clients to the same one !!

Think I'll try rolling back to see if that does the trick.

Thanks

Jake

erialor

Updated (from amd64 Oct 28th build to Nov 2nd build) and also (still) experiencing problems connecting to remote PPTP-servers (pfSense PPTP-server disabled) - adding a NAT-rule to route incoming GRE to the IP I try to connect from works for a temp. solution…

Would prefer something more friendly though ;) especially as I occasionally switch which computer I want to connect from...

woeper

What is the status of this very annoying problem ?

sparc317

yes this is incredibly frustrating. Any update on a fix, had a great, stable experience with previous builds but being able to make an outbound PPTP connection is critical for us so very tempted to rollback to 1.2.x until 2.x is ready for the time being.

currently using 2.0-BETA4 (i386) built on Mon Nov 1 01:27:31 EDT 2010

was tempted to update to latest but saw people are still having issues

sparc317

couldn't actually see this reported in redmine.

have reported now, http://redmine.pfsense.org/issues/989

Juve

Is there a known workarround (like a kernel parameter)?
Do you know where does the bug comes from ? pfSense code or kernel update issue ?

Thanks

sparc317

Other people have reported success if they manually forward 1723/tcp and GRE through to an internal IP and then make a connection outbound from the machine with that address. It appears to be the traffic coming back in without an explicit NAT rule that is the issue, so you can't just plug say a laptop in, get an IP via DHCP and establish a PPTP VPN.

I was hoping to dig further but in the middle of a big project at the moment, will try add some beef to the PR at somepoint.

Juve

Ok so it seems to be a state tracking problem ?
When you watch the logs during a connection attempt (tcpdump -i pflog0 -ttt -n) you can see GRE responses from the outside server being blocked by pf.

Juve

No news neither a clue about this issue ?

eri--

Wait for a new image to get built, just committed the fix.
https://rcs.pfsense.org/projects/pfsense-tools/repos/mainline/commits/1c33e5128463d84dcedb71c9480a126dd8a6466e

Juve

will try it asap.
Thanks Ermal.

toomeek

Same issue here.
Tried to use it with Win2k8 TMG.
TMG's gateway is pfSense LAN IP (this is important! without this forwarding doesn't work)
Seems it even don't try to connect, just refusing connection with CLOSED:SYN_SENT.
Just ignoring firewall rules… or I have missed something in pfSense firewall?
Check screenshots attached.

EDIT: sorry for information missed: tested on pfSense-2.0-BETA4-20101116-1840-i386.iso
EDIT: Thanks for fix for Ticket #989. Will try this as soon new snapshot will be available.

eri--

You do not need the gre allowance with latest snaphots.
Your problem is that you do not need to specify the gateway in firewall rules.

erialor

Confirming that outgoing PPTP VPN now works w/o incoming GRE-rule - thanks :D