From owner-freebsd-net@FreeBSD.ORG Wed Nov 17 19:32:17 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93EEF16A4CE; Wed, 17 Nov 2004 19:32:17 +0000 (GMT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04B8543D55; Wed, 17 Nov 2004 19:32:15 +0000 (GMT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA20794; Wed, 17 Nov 2004 12:32:11 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.1.2.0.2.20041117103952.05d09048@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.1.2.0 Date: Wed, 17 Nov 2004 12:31:02 -0700 To: brett@lariat.org From: Brett Glass Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Mailman-Approved-At: Thu, 18 Nov 2004 14:00:20 +0000 Subject: Re: PPTP client not working on 4.10-R X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Nov 2004 19:32:17 -0000 Everyone: I've found what was causing the problems which I reported on net@ and questions@ involving a PPTP client. And I may have uncovered a security problem which -- if my analysis is correct -- should be addressed. (I'd like independent confirmation of this.) As mentioned in earlier postings, I'd just set up a 4.10-R machine which was to be a PPTP client. (It was using the port of the Linux PPTP client in /usr/ports/net/pptpclient.) It could not connect to a PPTP server on the same LAN, even though that PPTP server was correctly serving other clients -- including Windows machines, FreeBSD machines, and a couple of SOHO routers running embedded Linux. The problem FINALLY went away after I set the environment variable "gateway_enable" to "YES" in the client's /etc/rc.conf file and rebooted. The client machine at first seemed to work properly; TCP connections to machines on the local LAN worked correctly. It was when I tried to use the machine as a PPTP client (it was going to tunnel out through the PPTP server to the Internet) that I saw problems -- not only on the client but on the server to which it was trying to connect. After instrumenting the systems with tcpdump and setting up multiple windows to "tail" all of the logs, I saw what was going on. The PPTP call setup process (which is done via a TCP socket) worked. However, once the initial handshake was complete and the "call" was established, the client's PPP process -- which was supposed to begin LCP negotiations with the server via an encrypted GRE tunnel -- didn't receive any data from the server at all. At the same time, the server's PPP process began to report all sorts of errors. What happened was that GRE packets received by the client machine were being bounced back, verbatim, to the PPTP server. The PPTP server was mightily confused by this echoing and in fact suffered a partial crash. (Multitudes of messages accumulating in /var/ppp/ppp.log overflowed the PPTP server's /var partition, and some daemons on the machine failed when they couldn't log.) It filled its logs with error messages generated by its own reflected packets -- some whole, some corrupted. It might be worthwhile to dig a bit into the kernel code and find out why the packets were being reflected, and why the reflection stopped when I turned on packet forwarding. One shouldn't have to enable packet forwarding between interfaces to communicate with a PPTP server on one's local LAN! In fact, it can be a security risk. If you have to enable packet forwarding to establish a VPN connection, you might inadvertently open up a back door from the Internet at large to the private network which you're accessing via the VPN. Because this is a security concern, I'm posting this message to security@ as well as the two lists where I posted originally. But I'm BCC'ing all three to prevent responses from being cross-posted. --Brett Glass