mpd5 pptp working, but not from another VPN connection

jontheil

jontheil

Hi list,

I think I have seen something about the same problem somewhere, but I can't find it. I have a working PPTPO server based on mpd5 and FreeBSD 8.3-PRERELEASE. When I move myself outside the local network, I can connect. If I start by connecting through a VPN connection at my work (Cisco VPN Client), I cannot.

In front of our local network, we have a pfSense firewall that allows traffic on port 1723. I don't think it is a firewall issue. When I run tcpdump on the server, I actually get a response. But nothing in the mpd.log.

Code: 
tcpdump -vv port 1723
02:28:51.015659 IP (tos 0x0, ttl 122, id 384, offset 0, flags [DF], proto TCP (6), length 40)
    remote_server_name.25874 > mfl.dk.pptp: Flags [.], cksum 0xe6be (correct), seq 366, ack 354, win 64160, length 0
I can post any relevant configurations. But will keep my question short for a start.

Best regards,
Jon
 
You must allow IP protocol GRE too.
If the VPN client is coming from behind a NAT router which does not perform NAT for GRE protocol, the connection won't be available, error number for windows VPN client: 619.
 
I checked the firewall settings and GRE was already opened. It seems the client is set to use IPsec, so I also opened for ESP and AH protocol and for UDP port 500. But the result is the same.

And you are absolutely right, I get error 619. So I guess there is nothing else I can try (?).

Thanks for the info, anyway.

Regards,
Jon
 
Connecting a VPN on top of another may require GRE-in-GRE encapsulation. I don't recommend this setup without a lowered MTU.
If I remember correctly, the VPN client delivered with Windows do a IPSEC attempt if the pptp attempt fails. Try to enforce the client to use only pptp (instead of 'automatic' settings) , and then look for tcp/1723 and GRE with tcpdump. The 619 error may indicate a NAT/firewall error.
 
Tried to force the client to use pptp with no luck.
I get a lot of trafic on port 1723 from the client to my server. But I guess, it is all about the firewall at my work.
Right now, it's kind of stupid: I connect from home via Cisco VPN client to my work network and then try to connect to my home network via Windows VPN client. But my real problem is, that I would like to connect to my home network from work. And it seems quite impossible. I don't think I should try to convince the help desk to open up the firewall. Security is a good thing when you are dealing with governmental data.
Thank you for your suggestions.

Best regards,
Jon
 
You must log in or register to reply here.
Back
Top