Pfctl pass GRE

hac3ru · Sep 9, 2014

Hello,

I have a FreeBSD box that does NAT and also has pfctl. The problem is that when I try to connect to an external VPN it fails. On the external server I can see the following:

Code:

Sep  9 20:26:36 rambo2 pptpd[25773]: CTRL: Client 193.226.6.22 control connection started
Sep  9 20:26:36 rambo2 pptpd[25773]: CTRL: Starting call (launching pppd, opening GRE)
Sep  9 20:26:36 rambo2 pppd[25774]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Sep  9 20:26:36 rambo2 pppd[25774]: pptpd-logwtmp: $Version$
Sep  9 20:26:36 rambo2 pppd[25774]: pppd 2.4.5 started by root, uid 0
Sep  9 20:26:36 rambo2 pppd[25774]: using channel 430
Sep  9 20:26:36 rambo2 NetworkManager:    SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Sep  9 20:26:36 rambo2 NetworkManager:    SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.
Sep  9 20:26:36 rambo2 pppd[25774]: Using interface ppp0
Sep  9 20:26:36 rambo2 pppd[25774]: Connect: ppp0 <--> /dev/pts/2
Sep  9 20:26:36 rambo2 pppd[25774]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xede488f6> <pcomp> <accomp>]
Sep  9 20:26:36 rambo2 pptpd[25773]: GRE: Bad checksum from pppd.
Sep  9 20:26:36 rambo2 pppd[25774]: rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0xddc26ac> <pcomp> <accomp> <callback CBCP>]
Sep  9 20:26:36 rambo2 pppd[25774]: sent [LCP ConfRej id=0x0 <callback CBCP>]
Sep  9 20:26:38 rambo2 pppd[25774]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0xddc26ac> <pcomp> <accomp> <callback CBCP>]
Sep  9 20:26:38 rambo2 pppd[25774]: sent [LCP ConfRej id=0x1 <callback CBCP>]
Sep  9 20:26:39 rambo2 pppd[25774]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xede488f6> <pcomp> <accomp>]
Sep  9 20:26:41 rambo2 pppd[25774]: rcvd [LCP ConfReq id=0x2 <mru 1400> <magic 0xddc26ac> <pcomp> <accomp> <callback CBCP>]
Sep  9 20:26:41 rambo2 pppd[25774]: sent [LCP ConfRej id=0x2 <callback CBCP>]
Sep  9 20:26:42 rambo2 pppd[25774]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xede488f6> <pcomp> <accomp>]
Sep  9 20:26:45 rambo2 pppd[25774]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xede488f6> <pcomp> <accomp>]
Sep  9 20:26:45 rambo2 pppd[25774]: rcvd [LCP ConfReq id=0x3 <mru 1400> <magic 0xddc26ac> <pcomp> <accomp> <callback CBCP>]
Sep  9 20:26:45 rambo2 pppd[25774]: sent [LCP ConfRej id=0x3 <callback CBCP>]
Sep  9 20:26:48 rambo2 pppd[25774]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xede488f6> <pcomp> <accomp>]
Sep  9 20:26:49 rambo2 pppd[25774]: rcvd [LCP ConfReq id=0x4 <mru 1400> <magic 0xddc26ac> <pcomp> <accomp> <callback CBCP>]
Sep  9 20:26:49 rambo2 pppd[25774]: sent [LCP ConfRej id=0x4 <callback CBCP>]
Sep  9 20:26:51 rambo2 pppd[25774]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xede488f6> <pcomp> <accomp>]
Sep  9 20:26:53 rambo2 pppd[25774]: rcvd [LCP ConfReq id=0x5 <mru 1400> <magic 0xddc26ac> <pcomp> <accomp> <callback CBCP>]
Sep  9 20:26:53 rambo2 pppd[25774]: sent [LCP ConfRej id=0x5 <callback CBCP>]
Sep  9 20:26:54 rambo2 pppd[25774]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xede488f6> <pcomp> <accomp>]
Sep  9 20:26:57 rambo2 pppd[25774]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xede488f6> <pcomp> <accomp>]
Sep  9 20:26:57 rambo2 pppd[25774]: rcvd [LCP ConfReq id=0x6 <mru 1400> <magic 0xddc26ac> <pcomp> <accomp> <callback CBCP>]
Sep  9 20:26:57 rambo2 pppd[25774]: sent [LCP ConfRej id=0x6 <callback CBCP>]
Sep  9 20:27:00 rambo2 pppd[25774]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xede488f6> <pcomp> <accomp>]
Sep  9 20:27:01 rambo2 pppd[25774]: rcvd [LCP ConfReq id=0x7 <mru 1400> <magic 0xddc26ac> <pcomp> <accomp> <callback CBCP>]
Sep  9 20:27:01 rambo2 pppd[25774]: sent [LCP ConfRej id=0x7 <callback CBCP>]
Sep  9 20:27:03 rambo2 pppd[25774]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xede488f6> <pcomp> <accomp>]
Sep  9 20:27:05 rambo2 pppd[25774]: rcvd [LCP ConfReq id=0x8 <mru 1400> <magic 0xddc26ac> <pcomp> <accomp> <callback CBCP>]
Sep  9 20:27:05 rambo2 pppd[25774]: sent [LCP ConfRej id=0x8 <callback CBCP>]
Sep  9 20:27:06 rambo2 pppd[25774]: LCP: timeout sending Config-Requests
Sep  9 20:27:06 rambo2 pppd[25774]: Connection terminated.
Sep  9 20:27:06 rambo2 NetworkManager:    SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Sep  9 20:27:06 rambo2 pppd[25774]: Modem hangup
Sep  9 20:27:06 rambo2 pppd[25774]: Exit.
Sep  9 20:27:06 rambo2 pptpd[25773]: GRE: read(fd=6,buffer=611640,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Sep  9 20:27:06 rambo2 pptpd[25773]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Sep  9 20:27:06 rambo2 pptpd[25773]: CTRL: Reaping child PPP[25774]
Sep  9 20:27:06 rambo2 pptpd[25773]: CTRL: Client 193.226.6.22 control connection finished

I can connect to the server from another location, but not from behind the FreeBSD firewall. The firewall is configured to:

Code:

pass quick proto gre from any to any

Any ideas why I can't connect to external VPNs?

kpa · Sep 9, 2014

PF can not perform NAT on the GRE packets because the packets have nothing in the IP headers that could be used to distiguish different sessions. You would need something like net/frickin proxy (the port is unfortunately gone now) that can look inside the traffic (what PF refuses to do for good reasons) and forward the packets to the correct host.

And BTW:

https://www.schneier.com/pptp-faq.html

hac3ru · Sep 9, 2014

I know about Microsoft PPTP but this isn't a Microsoft PPTP... Anyway. I then have a question. Why does it sometimes work and sometimes it doesn't? There are times when the connection is great, and there's times, like now, when I can't connect...

kpa · Sep 9, 2014

hac3ru said:
I know about Microsoft PPTP but this isn't a Microsoft PPTP... Anyway. I then have a question. Why does it sometimes work and sometimes it doesn't? There are times when the connection is great, and there's times, like now, when I can't connect...

Regardless of being on a non-MS platform the PPTP protocol is the exact same with the exact same serious vulnerabilities that can not be fixed without losing compatibility with the MS implementation.

nforced · Sep 11, 2014

I just hit on the very same problem, I'm behind a FreeBSD router (pf NAT) and I can't connect to external PPTP. net/frickin is now deleted so it's not an option anymore.
What to do? I need to get this working. What is the right way of doing this?

kpa · Sep 11, 2014

No real solution other than moving on to a better VPN solution, IPSEC and OpenVPN are the recommended ones. If you're forced to use PPTP as a client then you're royally screwed. The only way you can still get PPTP working as a client is to run it on the router that holds your public IP address(es) so that NATin the GRE traffic can avoided alltogether. Even so nobody really wants to support PPTP anymore because it's shown to be completely insecure.

nforced · Sep 11, 2014

I see, well the other side should switch to OpenVPN then

Thanks!

hac3ru · Sep 13, 2014

nforced said:
I see, well the other side should switch to OpenVPN then
Thanks!

There are pptp VPNs to my work and where I need to connect... Can't just change them...

nforced · Sep 13, 2014

hac3ru said:
There are pptp VPNs to my work and where I need to connect... Can't just change them...

I understand, I am the same but what can we do?
And why there are network administrators insisting the use of this crap anyway, they are the ones to blame, not us.