PPTP VPN return traffic problem in 2.1?



  • I've seen at least two repeatable cases where a PPTP VPN client
    can successfully authenticate, but no traffic comes back from
    the remote LAN (despite putting a PPTP interface pass rule in).

    It's clear from using tcpdump that the remote hosts are asking
    for the MAC address for my VPN client IP and never getting a response.

    Is this a known bug?

    Cheers



  • Hi,

    did you try with current Head ?
    i tried to reproduce but had no problems at least when trying to reach the client from pfSense.
    Will setup a second vm to test…






  • Yes, these are quite recent installations (from the last week or so). Thanks for doing the test, but those look like L2TP configs and
    I'm having trouble with PPTP.

    Having said that, we're not tied to PPTP. I did get a "Cisco" IPSEC configuration working based on an older
    forum post, but I dislike the way that routes all traffic via the VPN on OS X.

    L2TP over IPSEC might be an option, but I have to say i find the IPSEC configuration (to interoperate with OS X)
    a bit daunting.



  • Hehe your totally right - i mistaked that one ;(
    Yes, using L2TP would be somekind of an overkill solution just for the task of transporting L3 Protocols but it should work too. Which old post do you mean i might be interested too :)

    EDIT: mmh - using pptp  might have some implications..
    Did you try to define a hostroute to the other host or set an default gateway ?
    For example win7 sets multiple default routes and traffic might get routed out of an wrong interface if it has no more specific route.


  • Rebel Alliance Developer Netgate

    Is your PPTP subnet in the same subnet as the LAN?

    Does it work if you use a different subnet?

    Usually if the local hosts are trying to find the MAC via ARP, they believe they are in the same subnet. IF they really are, then perhaps the proxy ARP daemon isn't launching for those IPs like it should.

    But in that case, using a separate subnet should be fine.



  • Yes, the PPTP clients/network is the same as the LAN subnet.

    I've not tried a different subnet for the PPTP VPN as it simplifies the management slightly if
    the PPTP clients have the same subnet as the office LAN.

    I'll check to see what happens with a different subnet.



  • @jimp:

    IF they really are, then perhaps the proxy ARP daemon isn't launching for those IPs like it should.

    Shouldn't the PPTP server manage this just by associating the IP of the remote client with the
    relevant internal interface using the 'arp' binary and the '-s/S' with the 'publish' option?

    i.e something like (on pptp successful authentication and same subnet)

    arp -S <pptp_client_ip_in_lan_subnet>ether_addr_of_LAN_subnet pub

    That net result does seem to happen in some cases.</pptp_client_ip_in_lan_subnet>


  • Rebel Alliance Developer Netgate

    I glanced at the code yesterday (short on time) and this is handled by passing an option to mpd so it can do proxy arp itself. Not sure how it does that internally. Something like:

    set iface enable proxy-arp
    


  • Any update on this?  Seeing this problem as well, authenticate fine, and firewall logs just shows DNS being passed but I'm not resolving any websites at all.  Same setup was working fine on 2.0.1



  • Adding some logs to help diagnose issue

    aaa.aaa.aaa.aaa is the LAN IP for pfSense
    xxx.xxx.xxx.xxx is my WAN IP
    yyy.yyy.yyy.yyy is my iphone's provider IP
    zzz.zzz.zzz.zzz is the internal LAN IP for the PPTP client

    Aug 15 00:32:48 	pptps: [pt0] LCP: state change Closing --> Initial
    Aug 15 00:32:48 	pptps: [pt0] LCP: LayerFinish
    Aug 15 00:32:48 	pptps: [pt0] LCP: Down event
    Aug 15 00:32:48 	pptps: [pt0] link: DOWN event
    Aug 15 00:32:48 	pptps: [pt0] PPTP call terminated
    Aug 15 00:32:48 	pptps: pptp0-0: killing channel
    Aug 15 00:32:48 	pptps: pptp0: killing connection with yyy.yyy.yyy.yyy 54108
    Aug 15 00:32:48 	pptps: pptp0: ctrl connection closed by peer
    Aug 15 00:32:48 	pptps: [pt0] LCP: state change Stopping --> Closing
    Aug 15 00:32:48 	pptps: [pt0] LCP: Close event
    Aug 15 00:32:48 	pptps: [pt0] link: CLOSE event
    Aug 15 00:32:48 	pptps: [pt0] LCP: SendTerminateAck #5
    Aug 15 00:32:48 	pptps: [pt0] LCP: rec'd Terminate Request #3 (Stopping)
    Aug 15 00:32:48 	pptps: [pt0] LCP: LayerDown
    Aug 15 00:32:48 	pptps: [pt0] LCP: SendTerminateAck #4
    Aug 15 00:32:48 	pptps: [pt0] AUTH: Cleanup
    Aug 15 00:32:48 	pptps: [pt0] CCP: state change Closing --> Initial
    Aug 15 00:32:48 	pptps: [pt0] CCP: LayerFinish
    Aug 15 00:32:48 	pptps: [pt0] CCP: Down event
    Aug 15 00:32:48 	pptps: [pt0] IPCP: state change Closing --> Initial
    Aug 15 00:32:48 	pptps: [pt0] closing link "pt0"...
    Aug 15 00:32:48 	pptps: [pt0] No NCPs left. Closing links...
    Aug 15 00:32:48 	pptps: [pt0] IPCP: LayerFinish
    Aug 15 00:32:48 	pptps: [pt0] IPCP: Down event
    Aug 15 00:32:48 	pptps: [pt0] CCP: LayerDown
    Aug 15 00:32:48 	pptps: [pt0] error writing len 8 frame to bypass: Network is down
    Aug 15 00:32:48 	pptps: [pt0] CCP: SendTerminateReq #2
    Aug 15 00:32:48 	pptps: [pt0] CCP: state change Opened --> Closing
    Aug 15 00:32:48 	pptps: [pt0] CCP: Close event
    Aug 15 00:32:48 	pptps: [pt0] IFACE: Down event
    Aug 15 00:32:48 	pptps: [pt0] IPCP: LayerDown
    Aug 15 00:32:48 	pptps: [pt0] error writing len 8 frame to bypass: Network is down
    Aug 15 00:32:48 	pptps: [pt0] IPCP: SendTerminateReq #4
    Aug 15 00:32:48 	pptps: [pt0] IPCP: state change Opened --> Closing
    Aug 15 00:32:48 	pptps: [pt0] IPCP: Close event
    Aug 15 00:32:48 	pptps: [pt0] Bundle up: 0 links, total bandwidth 9600 bps
    Aug 15 00:32:48 	pptps: [pt0] AUTH: Accounting data for user blablabla: 227 seconds, 2936 octets in, 4160 octets out
    Aug 15 00:32:48 	pptps: [pt0] LCP: state change Opened --> Stopping
    Aug 15 00:32:48 	pptps: [pt0] LCP: rec'd Terminate Request #2 (Opened)
    Aug 15 00:29:07 	pptps: [pt0] IFACE: Up event
    Aug 15 00:29:07 	pptps: xxx.xxx.xxx.xxx -> zzz.zzz.zzz.zzz
    Aug 15 00:29:07 	pptps: [pt0] IPCP: LayerUp
    Aug 15 00:29:07 	pptps: [pt0] IPCP: state change Ack-Sent --> Opened
    Aug 15 00:29:07 	pptps: IPADDR xxx.xxx.xxx.xxx
    Aug 15 00:29:07 	pptps: [pt0] IPCP: rec'd Configure Ack #3 (Ack-Sent)
    Aug 15 00:29:06 	pptps: IPADDR xxx.xxx.xxx.xxx
    Aug 15 00:29:06 	pptps: [pt0] IPCP: SendConfigReq #3
    Aug 15 00:29:06 	pptps: COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
    Aug 15 00:29:06 	pptps: [pt0] IPCP: rec'd Configure Reject #2 (Ack-Sent)
    Aug 15 00:29:06 	pptps: COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
    Aug 15 00:29:06 	pptps: IPADDR xxx.xxx.xxx.xxx
    Aug 15 00:29:06 	pptps: [pt0] IPCP: SendConfigReq #2
    Aug 15 00:29:05 	pptps: [pt0] IPCP: state change Req-Sent --> Ack-Sent
    Aug 15 00:29:05 	pptps: SECDNS 8.8.8.8
    Aug 15 00:29:05 	pptps: PRIDNS aaa.aaa.aaa.aaa
    Aug 15 00:29:05 	pptps: IPADDR zzz.zzz.zzz.zzz
    Aug 15 00:29:05 	pptps: [pt0] IPCP: SendConfigAck #2
    Aug 15 00:29:05 	pptps: SECDNS 8.8.8.8
    Aug 15 00:29:05 	pptps: PRIDNS aaa.aaa.aaa.aaa
    Aug 15 00:29:05 	pptps: zzz.zzz.zzz.zzz is OK
    Aug 15 00:29:05 	pptps: IPADDR zzz.zzz.zzz.zzz
    Aug 15 00:29:05 	pptps: [pt0] IPCP: rec'd Configure Request #2 (Req-Sent)
    Aug 15 00:29:05 	pptps: [pt0] rec'd unexpected protocol IPV6CP, rejecting
    Aug 15 00:29:05 	pptps: SECDNS 8.8.8.8
    Aug 15 00:29:05 	pptps: PRIDNS aaa.aaa.aaa.aaa
    Aug 15 00:29:05 	pptps: IPADDR zzz.zzz.zzz.zzz
    Aug 15 00:29:05 	pptps: [pt0] IPCP: SendConfigNak #1
    Aug 15 00:29:05 	pptps: NAKing with 8.8.8.8
    Aug 15 00:29:05 	pptps: SECDNS 0.0.0.0
    Aug 15 00:29:05 	pptps: NAKing with aaa.aaa.aaa.aaa
    Aug 15 00:29:05 	pptps: PRIDNS 0.0.0.0
    Aug 15 00:29:05 	pptps: NAKing with zzz.zzz.zzz.zzz
    Aug 15 00:29:05 	pptps: IPADDR 0.0.0.0
    Aug 15 00:29:05 	pptps: [pt0] IPCP: rec'd Configure Request #1 (Req-Sent)
    Aug 15 00:29:05 	pptps: Decompress using: mppc (MPPE(128 bits), stateless)
    Aug 15 00:29:05 	pptps: Compress using: mppc (MPPE(128 bits), stateless)
    Aug 15 00:29:05 	pptps: [pt0] CCP: LayerUp
    Aug 15 00:29:05 	pptps: [pt0] CCP: state change Ack-Rcvd --> Opened
    Aug 15 00:29:05 	pptps: 0x01000040:MPPE(128 bits), stateless
    Aug 15 00:29:05 	pptps: MPPC
    Aug 15 00:29:05 	pptps: [pt0] CCP: SendConfigAck #2
    Aug 15 00:29:05 	pptps: 0x01000040:MPPE(128 bits), stateless
    Aug 15 00:29:05 	pptps: MPPC
    Aug 15 00:29:05 	pptps: [pt0] CCP: rec'd Configure Request #2 (Ack-Rcvd)
    Aug 15 00:29:04 	pptps: [pt0] CCP: state change Req-Sent --> Ack-Rcvd
    Aug 15 00:29:04 	pptps: 0x01000040:MPPE(128 bits), stateless
    Aug 15 00:29:04 	pptps: MPPC
    Aug 15 00:29:04 	pptps: [pt0] CCP: rec'd Configure Ack #1 (Req-Sent)
    Aug 15 00:29:04 	pptps: [pt0] IPCP: rec'd Terminate Ack #1 (Req-Sent)
    Aug 15 00:29:04 	pptps: 0x01000040:MPPE(128 bits), stateless
    Aug 15 00:29:04 	pptps: MPPC
    Aug 15 00:29:04 	pptps: [pt0] CCP: SendConfigNak #1
    Aug 15 00:29:04 	pptps: 0x01000060:MPPE(40, 128 bits), stateless
    Aug 15 00:29:04 	pptps: MPPC
    Aug 15 00:29:04 	pptps: [pt0] CCP: rec'd Configure Request #1 (Req-Sent)
    Aug 15 00:29:04 	pptps: 0x01000040:MPPE(128 bits), stateless
    Aug 15 00:29:04 	pptps: MPPC
    Aug 15 00:29:04 	pptps: [pt0] CCP: SendConfigReq #1
    Aug 15 00:29:04 	pptps: [pt0] CCP: state change Starting --> Req-Sent
    Aug 15 00:29:04 	pptps: [pt0] CCP: Up event
    Aug 15 00:29:04 	pptps: COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
    Aug 15 00:29:04 	pptps: IPADDR xxx.xxx.xxx.xxx
    Aug 15 00:29:04 	pptps: [pt0] IPCP: SendConfigReq #1
    Aug 15 00:29:04 	pptps: [pt0] IPCP: state change Starting --> Req-Sent
    Aug 15 00:29:04 	pptps: [pt0] IPCP: Up event
    Aug 15 00:29:04 	pptps: [pt0] CCP: LayerStart
    Aug 15 00:29:04 	pptps: [pt0] CCP: state change Initial --> Starting
    Aug 15 00:29:04 	pptps: [pt0] CCP: Open event
    Aug 15 00:29:04 	pptps: [pt0] IPCP: LayerStart
    Aug 15 00:29:04 	pptps: [pt0] IPCP: state change Initial --> Starting
    Aug 15 00:29:04 	pptps: [pt0] IPCP: Open event
    Aug 15 00:29:04 	pptps: [pt0] Bundle up: 1 link, total bandwidth 64000 bps
    Aug 15 00:29:04 	pptps: [pt0] LCP: authorization successful
    Aug 15 00:29:04 	pptps: [pt0] CHAP: sending SUCCESS len:42
    Aug 15 00:29:04 	pptps: Reply message: S=6755F6CB45EC2F39B77C5202F5D7A7C69A9EC717
    Aug 15 00:29:04 	pptps: Response is valid
    Aug 15 00:29:04 	pptps: [pt0] CHAP: ChapInputFinish: status undefined
    Aug 15 00:29:04 	pptps: [pt0] AUTH: Auth-Thread finished normally
    Aug 15 00:29:04 	pptps: [pt0] AUTH: INTERNAL returned undefined
    Aug 15 00:29:04 	pptps: [pt0] AUTH: Trying INTERNAL
    Aug 15 00:29:04 	pptps: [pt0] AUTH: Auth-Thread started
    Aug 15 00:29:04 	pptps: Name: "blablabla"
    Aug 15 00:29:04 	pptps: [pt0] CHAP: rec'd RESPONSE #1
    Aug 15 00:29:04 	pptps: [pt0] LCP: LayerUp
    Aug 15 00:29:04 	pptps: [pt0] CHAP: sending CHALLENGE len:17
    Aug 15 00:29:04 	pptps: [pt0] LCP: auth: peer wants nothing, I want CHAP
    Aug 15 00:29:04 	pptps: [pt0] LCP: state change Ack-Sent --> Opened
    Aug 15 00:29:04 	pptps: AUTHPROTO CHAP MSOFTv2
    Aug 15 00:29:04 	pptps: MAGICNUM b2dd1f0a
    Aug 15 00:29:04 	pptps: MRU 1500
    Aug 15 00:29:04 	pptps: PROTOCOMP
    Aug 15 00:29:04 	pptps: ACFCOMP
    Aug 15 00:29:04 	pptps: [pt0] LCP: rec'd Configure Ack #3 (Ack-Sent)
    Aug 15 00:29:03 	pptps: AUTHPROTO CHAP MSOFTv2
    Aug 15 00:29:03 	pptps: MAGICNUM b2dd1f0a
    Aug 15 00:29:03 	pptps: MRU 1500
    Aug 15 00:29:03 	pptps: PROTOCOMP
    Aug 15 00:29:03 	pptps: ACFCOMP
    Aug 15 00:29:03 	pptps: [pt0] LCP: SendConfigReq #3
    Aug 15 00:29:03 	pptps: MP SHORTSEQ
    Aug 15 00:29:03 	pptps: MP MRRU 1600
    Aug 15 00:29:03 	pptps: [pt0] LCP: rec'd Configure Reject #2 (Ack-Sent)
    Aug 15 00:29:03 	pptps: ENDPOINTDISC [802.1] 00 15 17 36 ca 1c
    Aug 15 00:29:03 	pptps: MP SHORTSEQ
    Aug 15 00:29:03 	pptps: MP MRRU 1600
    Aug 15 00:29:03 	pptps: AUTHPROTO CHAP MSOFTv2
    Aug 15 00:29:03 	pptps: MAGICNUM b2dd1f0a
    Aug 15 00:29:03 	pptps: MRU 1500
    Aug 15 00:29:03 	pptps: PROTOCOMP
    Aug 15 00:29:03 	pptps: ACFCOMP
    Aug 15 00:29:03 	pptps: [pt0] LCP: SendConfigReq #2
    Aug 15 00:29:01 	pptps: [pt0] LCP: state change Req-Sent --> Ack-Sent
    Aug 15 00:29:01 	pptps: ACFCOMP
    Aug 15 00:29:01 	pptps: PROTOCOMP
    Aug 15 00:29:01 	pptps: MAGICNUM 344d9d4f
    Aug 15 00:29:01 	pptps: ACCMAP 0x00000000
    Aug 15 00:29:01 	pptps: [pt0] LCP: SendConfigAck #1
    Aug 15 00:29:01 	pptps: ACFCOMP
    Aug 15 00:29:01 	pptps: PROTOCOMP
    Aug 15 00:29:01 	pptps: MAGICNUM 344d9d4f
    Aug 15 00:29:01 	pptps: ACCMAP 0x00000000
    Aug 15 00:29:01 	pptps: [pt0] LCP: rec'd Configure Request #1 (Req-Sent)
    Aug 15 00:29:01 	pptps: ENDPOINTDISC [802.1] 00 15 17 36 ca 1c
    Aug 15 00:29:01 	pptps: MP SHORTSEQ
    Aug 15 00:29:01 	pptps: MP MRRU 1600
    Aug 15 00:29:01 	pptps: AUTHPROTO CHAP MSOFTv2
    Aug 15 00:29:01 	pptps: MAGICNUM b2dd1f0a
    Aug 15 00:29:01 	pptps: MRU 1500
    Aug 15 00:29:01 	pptps: PROTOCOMP
    Aug 15 00:29:01 	pptps: ACFCOMP
    Aug 15 00:29:01 	pptps: [pt0] LCP: SendConfigReq #1
    Aug 15 00:29:01 	pptps: [pt0] LCP: state change Starting --> Req-Sent
    Aug 15 00:29:01 	pptps: [pt0] LCP: Up event
    Aug 15 00:29:01 	pptps: [pt0] link: origination is remote
    Aug 15 00:29:01 	pptps: [pt0] link: UP event
    Aug 15 00:29:01 	pptps: [pt0] PPTP: attaching to peer's outgoing call
    Aug 15 00:29:01 	pptps: [pt0] LCP: LayerStart
    Aug 15 00:29:01 	pptps: [pt0] LCP: state change Initial --> Starting
    Aug 15 00:29:01 	pptps: [pt0] LCP: Open event
    Aug 15 00:29:01 	pptps: [pt0] link: OPEN event
    Aug 15 00:29:01 	pptps: [pt0] opening link "pt0"...
    Aug 15 00:29:01 	pptps: [pt0] Accepting PPTP connection
    Aug 15 00:29:01 	pptps: pptp0: attached to connection with yyy.yyy.yyy.yyy 54108
    Aug 15 00:29:01 	pptps: PPTP: Incoming control connection from yyy.yyy.yyy.yyy 54108 to xxx.xxx.xxx.xxx 1723
    
    

    Although this line might be revealing the issue

    Aug 15 00:29:05 	pptps: [pt0] rec'd unexpected protocol IPV6CP, rejecting
    

Locked