2015-09-22 - RE: [GRASE-Hotspot] VPN PPTP options

Header Data

From: Paul van Oijen <Pa***n@abnamrocomfin.com>
Message Hash: 3476c96e3486bc82f845de76ac6f9d0f5d38306b81f5ac6e4f9b3d3d64726894
Message ID: <027DF0743282704CAFA3948002E2396601A79E7991@HLVWDBACFEXC02.acfgroup.local>
Reply To: <D0B1523B-85E5-4F3A-95C6-DE7B6E9C266A@argyle.com.au>
UTC Datetime: 2015-09-22 01:56:03 UTC
Raw Date: Tue, 22 Sep 2015 08:56:03 +0000

Raw message 

Hai Dave.

I have about the same setup here…. My hotspot is set to 10.1.0.x and the Inet LAN is 192.168.x.y

I did some debugging and see this…. (I misformed the IP ‘s)

root@hotspot:~# tcpdump -i tun0 src host 10.1.0.188 and dst host 211.21.34.180
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes 16:44:56.119117 IP 10.1.0.188.43016 >
myvpn.hostname.tld.1723: Flags [S], seq 1163617152, win
29200, options [mss 1460,sackOK,TS val 101773162 ecr 0,nop,wscale 6], length 0 16:44:56.195136 IP 10.1.0.188.43016 >
myvpn.hostname.tld.1723: Flags [.], ack 1352138517, win 457, options [nop,nop,TS val 101773171 ecr 379982695], length 0
16:44:56.195393 IP 10.1.0.188.43016 > myvpn.hostname.tld.1723: Flags [P.], seq 0:156, ack 1, win
457, options [nop,nop,TS val 101773171 ecr 379982695], length 156: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(AS) BEARER_CAP(DA)
MAX_CHAN(1) FIRM_REV(0) HOSTNAME(anonymous) VENDOR() 16:44:56.270717 IP 10.1.0.188.43016 >
myvpn.hostname.tld.1723: Flags [.], ack 157, win 495, options [nop,nop,TS val 101773179 ecr 379982704], length 0
16:44:56.270748 IP 10.1.0.188.43016 > myvpn.hostname.tld.1723: Flags [P.], seq 156:324, ack 157,
win 495, options [nop,nop,TS val 101773179 ecr 379982704], length 168: pptp CTRL_MSGTYPE=OCRQ CALL_ID(58649) CALL_SER_NUM(27438)
MIN_BPS(1000) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(8192) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR()
16:44:56.393730 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq 0, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:44:56.393757 IP 10.1.0.188.43016 > myvpn.hostname.tld.1723: Flags [.], ack 189, win 495,
options [nop,nop,TS val 101773191 ecr 379982711], length 0
16:44:59.375547 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq 1, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:45:02.379858 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq 2, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:45:05.386927 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq 3, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:45:08.386710 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq 4, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:45:11.388625 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq 5, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:45:14.391496 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq 6, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:45:17.392441 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq 7, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:45:20.392662 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq 8, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:45:23.396235 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16256, seq 9, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:45:26.438999 IP 10.1.0.188.43016 > myvpn.hostname.tld.1723: Flags
[F.], seq 324, ack 189, win 495, options [nop,nop,TS val 101776196 ecr 379982711], length 0
16:45:26.474772 IP 10.1.0.188.43016 > myvpn.hostname.tld.1723: Flags [.], ack 190, win 495,
options [nop,nop,TS val 101776199 ecr 379985727], length 0

18 packets captured
19 packets received by filter
0 packets dropped by kernel


root@hotspot:~# tcpdump -i eth0 dst host 211.21.34.180
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

16:46:00.139027 IP 192.168.1.69.43017 > myvpn.hostname.tld.1723: Flags [S], seq 2938458965, win
29200, options [mss 1460,sackOK,TS val 101779564 ecr 0,nop,wscale 6], length 0
16:46:00.472091 IP 192.168.1.69.43017 > myvpn.hostname.tld.1723: Flags [.], ack 1410137951, win 457,
options [nop,nop,TS val 101779599 ecr 379989097], length 0 16:46:00.472194 IP 192.168.1.69.43017 >
myvpn.hostname.tld.1723: Flags [P.], seq 0:156, ack 1, win 457, options [nop,nop,TS val 101779599 ecr 379989097], length 156:
pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(AS) BEARER_CAP(DA) MAX_CHAN(1) FIRM_REV(0) HOSTNAME(anonymous) VENDOR()
16:46:00.820329 IP 192.168.1.69.43017 > myvpn.hostname.tld.1723: Flags [.], ack 157, win 495,
options [nop,nop,TS val 101779634 ecr 379989134], length 0 16:46:00.820461 IP 192.168.1.69.43017 >
myvpn.hostname.tld.1723: Flags [P.], seq 156:324, ack 157, win 495, options [nop,nop,TS val 101779634 ecr 379989134], length 168:
pptp CTRL_MSGTYPE=OCRQ CALL_ID(34279) CALL_SER_NUM(35707) MIN_BPS(1000) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E)
RECV_WIN(8192) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR()
16:46:01.189003 IP 10.1.0.188 > myvpn.hostname.tld: GREv1,
call 16384, seq 0, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:46:01.198823 IP 192.168.1.69.43017 >
myvpn.hostname.tld.1723: Flags [.], ack 189, win 495, options [nop,nop,TS val 101779672 ecr 379989171], length 0
16:46:01.357825 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 73
16:46:01.507514 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 72
16:46:04.190027 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq 1, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:46:04.507990 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 73
16:46:04.569061 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 72
16:46:07.192535 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq 2, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:46:07.331277 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 73
16:46:07.372653 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 72
16:46:10.184899 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 73
16:46:10.200938 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq 3, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:46:10.391521 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 72
16:46:13.198368 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq 4, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:46:13.341953 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 73
16:46:13.376501 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 72
16:46:16.201978 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq 5, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:46:16.333516 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 73
16:46:16.369908 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 72
16:46:19.202123 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq 6, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:46:19.372734 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 73
16:46:19.392841 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 72
16:46:22.205338 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq 7, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:46:22.412777 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 73
16:46:22.419452 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 72
16:46:25.209199 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq 8, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:46:25.498702 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 73
16:46:25.508549 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 72
16:46:28.212143 IP 10.1.0.188 > myvpn.hostname.tld: GREv1, call 16384, seq 9, length 40: LCP, Conf-Request (0x01), id 1, length 26
16:46:28.241302 IP 192.168.1.69 > myvpn.hostname.tld: ICMP 192.168.1.69 protocol 47 unreachable, length 73
16:46:28.244673 IP 192.168.1.69 > myvpn.hostname.tld: ICMP192.168.1.69 protocol 47 unreachable, length 72
16:46:31.261534 IP 192.168.1.69.43017 > myvpn.hostname.tld.1723: Flags [F.], seq 324, ack 189, win
495, options [nop,nop,TS val 101782678 ecr 379989171], length 0 16:46:31.468796 IP 192.168.1.69.43017 >
myvpn.hostname.tld.1723: Flags [.], ack 190, win 495, options [nop,nop,TS val 101782699 ecr 379992209], length 0

I guess the issues lies in the protocol 47 unreachable but why… If someone knows how to get further please let me know.

Rgds..

Van: David Wilson [mailto:da***e@argyle.com.au]
Verzonden: dinsdag 22 september 2015 1:07
Aan: gr***t@grasehotspot.org
Onderwerp: Re: [GRASE-Hotspot] VPN PPTP options

Paul & Tim,

I have exactly the same issue with a client where they have Grase guests that are trying to make a PPTP connection outbound to their work but cannot.

In my environment I have a NAT firewall that connects the public IP from the ISP and provides an internal IP address range (DMZ) that the Grase public side connects to.
And then Grase has a 2nd NIC that connects to the Guest wifi.

Therefore there is a double NAT happening.

ie:        The guests get a Grase IP and are NAT’ed to the public side of the Grase which is a DMZ address.
            The public side of Grase is then NAT’ed to the internet.


So far I have just created some NAT rules on the outer router to forward any PPTP stuff back to Grase (i.e. GRE and 1723) and that has not worked.
Although I didn’t really expect it to, as the PPTP 1723 is outbound and should not have anything initiating back to the clients.
I have checked that I have all replies catered for.

As the customer is remote (and therefore almost impossible for me to test) I am now going to replicate the network here so I can fault find it.

Paul, is your setup the same topology and my situation (i.e. double NAT)?


Dave



On 21 Sep 2015, at 10:32 pm, Paul van Oijen <Pa***n@abnamrocomfin.com<mailto:Pa***n@abnamrocomfin.com>> wrote:

Hai Tim,

I plugged in another router to work outside the Linux hotspot box and then the VPN tunnel works well.
Once I use the hotspot again it always fails to connect to my VPN.

As example I have a dd-wrt router with PPTP enabled on the outside and I would like to connect to that via the hotspot establishing a tunnel from my android phone to that network behind the dd-wrt router but that always fails.
As mentioned not having the hotspot in between but another wireless device works well.

So it's from the inside to the outside. What would you advise to check to see what the issue could be?

Chrs Paul

-----Oorspronkelijk bericht-----
Van: Timothy White [mailto:ti***8@gmail.com]
Verzonden: zondag 20 september 2015 12:42
Aan: Grase Hotspot
Onderwerp: Re: [GRASE-Hotspot] VPN PPTP options

Hi Paul

Can you please make it a bit clearer what you are asking. Are you wanting to allow users to make PPTP connections outgoing? Or do you want incoming connections to a client? Do you want clients to make a PPTP connection to the Hotspot?

I believe, but can't test as I don't use PPTP anymore, that outgoing connections should work already.

Regards

Tim

On Fri, Sep 18, 2015 at 7:01 PM, Paul van Oijen <Pa***n@abnamrocomfin.com<mailto:Pa***n@abnamrocomfin.com>> wrote:

Hello,



Small question what options does one have to allow a PPTP (VPN)
connection to hotspot users?



Either selective (ipbased / user based) or if not possible to all users.



Chrs …
http://www.abnamrocomfin.com/maildisclaimer

--
This mailing list is for the Grase Hotspot Project http://grasehotspot.org
---
You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gr***e@grasehotspot.org<mailto:gr***e@grasehotspot.org>.
To post to this group, send email to gr***t@grasehotspot.org<mailto:gr***t@grasehotspot.org>.
Visit this group at http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/027DF0743282704CAFA3948002E2396601A79E7614%40HLVWDBACFEXC02.acfgroup.local.

--
This mailing list is for the Grase Hotspot Project http://grasehotspot.org
---
You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gr***e@grasehotspot.org<mailto:gr***e@grasehotspot.org>.
To post to this group, send email to gr***t@grasehotspot.org<mailto:gr***t@grasehotspot.org>.
Visit this group at http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/D0B1523B-85E5-4F3A-95C6-DE7B6E9C266A%40argyle.com.au<https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/D0B1523B-85E5-4F3A-95C6-DE7B6E9C266A%40argyle.com.au?utm_medium=email&utm_source=footer>.
http://www.abnamrocomfin.com/maildisclaimer

Thread