PPTP VPN return traffic problem in 2.1?

polardog

I've seen at least two repeatable cases where a PPTP VPN client
can successfully authenticate, but no traffic comes back from
the remote LAN (despite putting a PPTP interface pass rule in).

It's clear from using tcpdump that the remote hosts are asking
for the MAC address for my VPN client IP and never getting a response.

Is this a known bug?

Cheers

Guest

Hi,

did you try with current Head ?
i tried to reproduce but had no problems at least when trying to reach the client from pfSense.
Will setup a second vm to test…

l2tp.png_thumb
l2tp2.png_thumb

polardog

Yes, these are quite recent installations (from the last week or so). Thanks for doing the test, but those look like L2TP configs and
I'm having trouble with PPTP.

Having said that, we're not tied to PPTP. I did get a "Cisco" IPSEC configuration working based on an older
forum post, but I dislike the way that routes all traffic via the VPN on OS X.

L2TP over IPSEC might be an option, but I have to say i find the IPSEC configuration (to interoperate with OS X)
a bit daunting.

Guest

Hehe your totally right - i mistaked that one ;(
Yes, using L2TP would be somekind of an overkill solution just for the task of transporting L3 Protocols but it should work too. Which old post do you mean i might be interested too :)

EDIT: mmh - using pptp might have some implications..
Did you try to define a hostroute to the other host or set an default gateway ?
For example win7 sets multiple default routes and traffic might get routed out of an wrong interface if it has no more specific route.

jimp

Is your PPTP subnet in the same subnet as the LAN?

Does it work if you use a different subnet?

Usually if the local hosts are trying to find the MAC via ARP, they believe they are in the same subnet. IF they really are, then perhaps the proxy ARP daemon isn't launching for those IPs like it should.

But in that case, using a separate subnet should be fine.

polardog

Yes, the PPTP clients/network is the same as the LAN subnet.

I've not tried a different subnet for the PPTP VPN as it simplifies the management slightly if
the PPTP clients have the same subnet as the office LAN.

I'll check to see what happens with a different subnet.

polardog

@jimp:

IF they really are, then perhaps the proxy ARP daemon isn't launching for those IPs like it should.

Shouldn't the PPTP server manage this just by associating the IP of the remote client with the
relevant internal interface using the 'arp' binary and the '-s/S' with the 'publish' option?

i.e something like (on pptp successful authentication and same subnet)

arp -S <pptp_client_ip_in_lan_subnet>ether_addr_of_LAN_subnet pub

That net result does seem to happen in some cases.</pptp_client_ip_in_lan_subnet>

jimp

I glanced at the code yesterday (short on time) and this is handled by passing an option to mpd so it can do proxy arp itself. Not sure how it does that internally. Something like:

set iface enable proxy-arp

AhnHEL

Any update on this? Seeing this problem as well, authenticate fine, and firewall logs just shows DNS being passed but I'm not resolving any websites at all. Same setup was working fine on 2.0.1

AhnHEL

Adding some logs to help diagnose issue

aaa.aaa.aaa.aaa is the LAN IP for pfSense
xxx.xxx.xxx.xxx is my WAN IP
yyy.yyy.yyy.yyy is my iphone's provider IP
zzz.zzz.zzz.zzz is the internal LAN IP for the PPTP client

Aug 15 00:32:48 	pptps: [pt0] LCP: state change Closing --> Initial
Aug 15 00:32:48 	pptps: [pt0] LCP: LayerFinish
Aug 15 00:32:48 	pptps: [pt0] LCP: Down event
Aug 15 00:32:48 	pptps: [pt0] link: DOWN event
Aug 15 00:32:48 	pptps: [pt0] PPTP call terminated
Aug 15 00:32:48 	pptps: pptp0-0: killing channel
Aug 15 00:32:48 	pptps: pptp0: killing connection with yyy.yyy.yyy.yyy 54108
Aug 15 00:32:48 	pptps: pptp0: ctrl connection closed by peer
Aug 15 00:32:48 	pptps: [pt0] LCP: state change Stopping --> Closing
Aug 15 00:32:48 	pptps: [pt0] LCP: Close event
Aug 15 00:32:48 	pptps: [pt0] link: CLOSE event
Aug 15 00:32:48 	pptps: [pt0] LCP: SendTerminateAck #5
Aug 15 00:32:48 	pptps: [pt0] LCP: rec'd Terminate Request #3 (Stopping)
Aug 15 00:32:48 	pptps: [pt0] LCP: LayerDown
Aug 15 00:32:48 	pptps: [pt0] LCP: SendTerminateAck #4
Aug 15 00:32:48 	pptps: [pt0] AUTH: Cleanup
Aug 15 00:32:48 	pptps: [pt0] CCP: state change Closing --> Initial
Aug 15 00:32:48 	pptps: [pt0] CCP: LayerFinish
Aug 15 00:32:48 	pptps: [pt0] CCP: Down event
Aug 15 00:32:48 	pptps: [pt0] IPCP: state change Closing --> Initial
Aug 15 00:32:48 	pptps: [pt0] closing link "pt0"...
Aug 15 00:32:48 	pptps: [pt0] No NCPs left. Closing links...
Aug 15 00:32:48 	pptps: [pt0] IPCP: LayerFinish
Aug 15 00:32:48 	pptps: [pt0] IPCP: Down event
Aug 15 00:32:48 	pptps: [pt0] CCP: LayerDown
Aug 15 00:32:48 	pptps: [pt0] error writing len 8 frame to bypass: Network is down
Aug 15 00:32:48 	pptps: [pt0] CCP: SendTerminateReq #2
Aug 15 00:32:48 	pptps: [pt0] CCP: state change Opened --> Closing
Aug 15 00:32:48 	pptps: [pt0] CCP: Close event
Aug 15 00:32:48 	pptps: [pt0] IFACE: Down event
Aug 15 00:32:48 	pptps: [pt0] IPCP: LayerDown
Aug 15 00:32:48 	pptps: [pt0] error writing len 8 frame to bypass: Network is down
Aug 15 00:32:48 	pptps: [pt0] IPCP: SendTerminateReq #4
Aug 15 00:32:48 	pptps: [pt0] IPCP: state change Opened --> Closing
Aug 15 00:32:48 	pptps: [pt0] IPCP: Close event
Aug 15 00:32:48 	pptps: [pt0] Bundle up: 0 links, total bandwidth 9600 bps
Aug 15 00:32:48 	pptps: [pt0] AUTH: Accounting data for user blablabla: 227 seconds, 2936 octets in, 4160 octets out
Aug 15 00:32:48 	pptps: [pt0] LCP: state change Opened --> Stopping
Aug 15 00:32:48 	pptps: [pt0] LCP: rec'd Terminate Request #2 (Opened)
Aug 15 00:29:07 	pptps: [pt0] IFACE: Up event
Aug 15 00:29:07 	pptps: xxx.xxx.xxx.xxx -> zzz.zzz.zzz.zzz
Aug 15 00:29:07 	pptps: [pt0] IPCP: LayerUp
Aug 15 00:29:07 	pptps: [pt0] IPCP: state change Ack-Sent --> Opened
Aug 15 00:29:07 	pptps: IPADDR xxx.xxx.xxx.xxx
Aug 15 00:29:07 	pptps: [pt0] IPCP: rec'd Configure Ack #3 (Ack-Sent)
Aug 15 00:29:06 	pptps: IPADDR xxx.xxx.xxx.xxx
Aug 15 00:29:06 	pptps: [pt0] IPCP: SendConfigReq #3
Aug 15 00:29:06 	pptps: COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Aug 15 00:29:06 	pptps: [pt0] IPCP: rec'd Configure Reject #2 (Ack-Sent)
Aug 15 00:29:06 	pptps: COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Aug 15 00:29:06 	pptps: IPADDR xxx.xxx.xxx.xxx
Aug 15 00:29:06 	pptps: [pt0] IPCP: SendConfigReq #2
Aug 15 00:29:05 	pptps: [pt0] IPCP: state change Req-Sent --> Ack-Sent
Aug 15 00:29:05 	pptps: SECDNS 8.8.8.8
Aug 15 00:29:05 	pptps: PRIDNS aaa.aaa.aaa.aaa
Aug 15 00:29:05 	pptps: IPADDR zzz.zzz.zzz.zzz
Aug 15 00:29:05 	pptps: [pt0] IPCP: SendConfigAck #2
Aug 15 00:29:05 	pptps: SECDNS 8.8.8.8
Aug 15 00:29:05 	pptps: PRIDNS aaa.aaa.aaa.aaa
Aug 15 00:29:05 	pptps: zzz.zzz.zzz.zzz is OK
Aug 15 00:29:05 	pptps: IPADDR zzz.zzz.zzz.zzz
Aug 15 00:29:05 	pptps: [pt0] IPCP: rec'd Configure Request #2 (Req-Sent)
Aug 15 00:29:05 	pptps: [pt0] rec'd unexpected protocol IPV6CP, rejecting
Aug 15 00:29:05 	pptps: SECDNS 8.8.8.8
Aug 15 00:29:05 	pptps: PRIDNS aaa.aaa.aaa.aaa
Aug 15 00:29:05 	pptps: IPADDR zzz.zzz.zzz.zzz
Aug 15 00:29:05 	pptps: [pt0] IPCP: SendConfigNak #1
Aug 15 00:29:05 	pptps: NAKing with 8.8.8.8
Aug 15 00:29:05 	pptps: SECDNS 0.0.0.0
Aug 15 00:29:05 	pptps: NAKing with aaa.aaa.aaa.aaa
Aug 15 00:29:05 	pptps: PRIDNS 0.0.0.0
Aug 15 00:29:05 	pptps: NAKing with zzz.zzz.zzz.zzz
Aug 15 00:29:05 	pptps: IPADDR 0.0.0.0
Aug 15 00:29:05 	pptps: [pt0] IPCP: rec'd Configure Request #1 (Req-Sent)
Aug 15 00:29:05 	pptps: Decompress using: mppc (MPPE(128 bits), stateless)
Aug 15 00:29:05 	pptps: Compress using: mppc (MPPE(128 bits), stateless)
Aug 15 00:29:05 	pptps: [pt0] CCP: LayerUp
Aug 15 00:29:05 	pptps: [pt0] CCP: state change Ack-Rcvd --> Opened
Aug 15 00:29:05 	pptps: 0x01000040:MPPE(128 bits), stateless
Aug 15 00:29:05 	pptps: MPPC
Aug 15 00:29:05 	pptps: [pt0] CCP: SendConfigAck #2
Aug 15 00:29:05 	pptps: 0x01000040:MPPE(128 bits), stateless
Aug 15 00:29:05 	pptps: MPPC
Aug 15 00:29:05 	pptps: [pt0] CCP: rec'd Configure Request #2 (Ack-Rcvd)
Aug 15 00:29:04 	pptps: [pt0] CCP: state change Req-Sent --> Ack-Rcvd
Aug 15 00:29:04 	pptps: 0x01000040:MPPE(128 bits), stateless
Aug 15 00:29:04 	pptps: MPPC
Aug 15 00:29:04 	pptps: [pt0] CCP: rec'd Configure Ack #1 (Req-Sent)
Aug 15 00:29:04 	pptps: [pt0] IPCP: rec'd Terminate Ack #1 (Req-Sent)
Aug 15 00:29:04 	pptps: 0x01000040:MPPE(128 bits), stateless
Aug 15 00:29:04 	pptps: MPPC
Aug 15 00:29:04 	pptps: [pt0] CCP: SendConfigNak #1
Aug 15 00:29:04 	pptps: 0x01000060:MPPE(40, 128 bits), stateless
Aug 15 00:29:04 	pptps: MPPC
Aug 15 00:29:04 	pptps: [pt0] CCP: rec'd Configure Request #1 (Req-Sent)
Aug 15 00:29:04 	pptps: 0x01000040:MPPE(128 bits), stateless
Aug 15 00:29:04 	pptps: MPPC
Aug 15 00:29:04 	pptps: [pt0] CCP: SendConfigReq #1
Aug 15 00:29:04 	pptps: [pt0] CCP: state change Starting --> Req-Sent
Aug 15 00:29:04 	pptps: [pt0] CCP: Up event
Aug 15 00:29:04 	pptps: COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Aug 15 00:29:04 	pptps: IPADDR xxx.xxx.xxx.xxx
Aug 15 00:29:04 	pptps: [pt0] IPCP: SendConfigReq #1
Aug 15 00:29:04 	pptps: [pt0] IPCP: state change Starting --> Req-Sent
Aug 15 00:29:04 	pptps: [pt0] IPCP: Up event
Aug 15 00:29:04 	pptps: [pt0] CCP: LayerStart
Aug 15 00:29:04 	pptps: [pt0] CCP: state change Initial --> Starting
Aug 15 00:29:04 	pptps: [pt0] CCP: Open event
Aug 15 00:29:04 	pptps: [pt0] IPCP: LayerStart
Aug 15 00:29:04 	pptps: [pt0] IPCP: state change Initial --> Starting
Aug 15 00:29:04 	pptps: [pt0] IPCP: Open event
Aug 15 00:29:04 	pptps: [pt0] Bundle up: 1 link, total bandwidth 64000 bps
Aug 15 00:29:04 	pptps: [pt0] LCP: authorization successful
Aug 15 00:29:04 	pptps: [pt0] CHAP: sending SUCCESS len:42
Aug 15 00:29:04 	pptps: Reply message: S=6755F6CB45EC2F39B77C5202F5D7A7C69A9EC717
Aug 15 00:29:04 	pptps: Response is valid
Aug 15 00:29:04 	pptps: [pt0] CHAP: ChapInputFinish: status undefined
Aug 15 00:29:04 	pptps: [pt0] AUTH: Auth-Thread finished normally
Aug 15 00:29:04 	pptps: [pt0] AUTH: INTERNAL returned undefined
Aug 15 00:29:04 	pptps: [pt0] AUTH: Trying INTERNAL
Aug 15 00:29:04 	pptps: [pt0] AUTH: Auth-Thread started
Aug 15 00:29:04 	pptps: Name: "blablabla"
Aug 15 00:29:04 	pptps: [pt0] CHAP: rec'd RESPONSE #1
Aug 15 00:29:04 	pptps: [pt0] LCP: LayerUp
Aug 15 00:29:04 	pptps: [pt0] CHAP: sending CHALLENGE len:17
Aug 15 00:29:04 	pptps: [pt0] LCP: auth: peer wants nothing, I want CHAP
Aug 15 00:29:04 	pptps: [pt0] LCP: state change Ack-Sent --> Opened
Aug 15 00:29:04 	pptps: AUTHPROTO CHAP MSOFTv2
Aug 15 00:29:04 	pptps: MAGICNUM b2dd1f0a
Aug 15 00:29:04 	pptps: MRU 1500
Aug 15 00:29:04 	pptps: PROTOCOMP
Aug 15 00:29:04 	pptps: ACFCOMP
Aug 15 00:29:04 	pptps: [pt0] LCP: rec'd Configure Ack #3 (Ack-Sent)
Aug 15 00:29:03 	pptps: AUTHPROTO CHAP MSOFTv2
Aug 15 00:29:03 	pptps: MAGICNUM b2dd1f0a
Aug 15 00:29:03 	pptps: MRU 1500
Aug 15 00:29:03 	pptps: PROTOCOMP
Aug 15 00:29:03 	pptps: ACFCOMP
Aug 15 00:29:03 	pptps: [pt0] LCP: SendConfigReq #3
Aug 15 00:29:03 	pptps: MP SHORTSEQ
Aug 15 00:29:03 	pptps: MP MRRU 1600
Aug 15 00:29:03 	pptps: [pt0] LCP: rec'd Configure Reject #2 (Ack-Sent)
Aug 15 00:29:03 	pptps: ENDPOINTDISC [802.1] 00 15 17 36 ca 1c
Aug 15 00:29:03 	pptps: MP SHORTSEQ
Aug 15 00:29:03 	pptps: MP MRRU 1600
Aug 15 00:29:03 	pptps: AUTHPROTO CHAP MSOFTv2
Aug 15 00:29:03 	pptps: MAGICNUM b2dd1f0a
Aug 15 00:29:03 	pptps: MRU 1500
Aug 15 00:29:03 	pptps: PROTOCOMP
Aug 15 00:29:03 	pptps: ACFCOMP
Aug 15 00:29:03 	pptps: [pt0] LCP: SendConfigReq #2
Aug 15 00:29:01 	pptps: [pt0] LCP: state change Req-Sent --> Ack-Sent
Aug 15 00:29:01 	pptps: ACFCOMP
Aug 15 00:29:01 	pptps: PROTOCOMP
Aug 15 00:29:01 	pptps: MAGICNUM 344d9d4f
Aug 15 00:29:01 	pptps: ACCMAP 0x00000000
Aug 15 00:29:01 	pptps: [pt0] LCP: SendConfigAck #1
Aug 15 00:29:01 	pptps: ACFCOMP
Aug 15 00:29:01 	pptps: PROTOCOMP
Aug 15 00:29:01 	pptps: MAGICNUM 344d9d4f
Aug 15 00:29:01 	pptps: ACCMAP 0x00000000
Aug 15 00:29:01 	pptps: [pt0] LCP: rec'd Configure Request #1 (Req-Sent)
Aug 15 00:29:01 	pptps: ENDPOINTDISC [802.1] 00 15 17 36 ca 1c
Aug 15 00:29:01 	pptps: MP SHORTSEQ
Aug 15 00:29:01 	pptps: MP MRRU 1600
Aug 15 00:29:01 	pptps: AUTHPROTO CHAP MSOFTv2
Aug 15 00:29:01 	pptps: MAGICNUM b2dd1f0a
Aug 15 00:29:01 	pptps: MRU 1500
Aug 15 00:29:01 	pptps: PROTOCOMP
Aug 15 00:29:01 	pptps: ACFCOMP
Aug 15 00:29:01 	pptps: [pt0] LCP: SendConfigReq #1
Aug 15 00:29:01 	pptps: [pt0] LCP: state change Starting --> Req-Sent
Aug 15 00:29:01 	pptps: [pt0] LCP: Up event
Aug 15 00:29:01 	pptps: [pt0] link: origination is remote
Aug 15 00:29:01 	pptps: [pt0] link: UP event
Aug 15 00:29:01 	pptps: [pt0] PPTP: attaching to peer's outgoing call
Aug 15 00:29:01 	pptps: [pt0] LCP: LayerStart
Aug 15 00:29:01 	pptps: [pt0] LCP: state change Initial --> Starting
Aug 15 00:29:01 	pptps: [pt0] LCP: Open event
Aug 15 00:29:01 	pptps: [pt0] link: OPEN event
Aug 15 00:29:01 	pptps: [pt0] opening link "pt0"...
Aug 15 00:29:01 	pptps: [pt0] Accepting PPTP connection
Aug 15 00:29:01 	pptps: pptp0: attached to connection with yyy.yyy.yyy.yyy 54108
Aug 15 00:29:01 	pptps: PPTP: Incoming control connection from yyy.yyy.yyy.yyy 54108 to xxx.xxx.xxx.xxx 1723

Although this line might be revealing the issue

Aug 15 00:29:05 	pptps: [pt0] rec'd unexpected protocol IPV6CP, rejecting