From owner-freebsd-pf@FreeBSD.ORG Fri Sep 9 21:43:07 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14913106564A for ; Fri, 9 Sep 2011 21:43:07 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [109.200.20.58]) by mx1.freebsd.org (Postfix) with ESMTP id 37D6D8FC18 for ; Fri, 9 Sep 2011 21:43:05 +0000 (UTC) Received: (qmail 24506 invoked from network); 9 Sep 2011 22:16:24 +0100 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstenWIN7) (torsten@cnc-london.net@78.105.9.127) by mailhost.cnc-london.net with SMTP; 9 Sep 2011 22:16:24 +0100 From: "Torsten Kersandt" To: References: <201109091646.15327.lobo@bsd.com.br> In-Reply-To: <201109091646.15327.lobo@bsd.com.br> Date: Fri, 9 Sep 2011 22:15:29 +0100 Message-ID: <033001cc6f35$9a68efe0$cf3acfa0$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcxvLOUcU5laRAIJSOmamSsWwlLFtQACGHxQ Content-Language: en-gb Subject: RE: VPN problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2011 21:43:07 -0000 HI Mario I don't know what the experts are suggesting and I would like to get educated as well but I use a table for the VPN addresses To allow nat but block them from using the server as gateway ("use as default gateway" in VPN disabled in windows) I add the rules dynamically using mpd if-up and if-down scripts All I have in my rules is GRE pass anywhere and "nat to and from" where ever Regards Torsten -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Mario Lobo Sent: 09 September 2011 20:46 To: freebsd-pf@freebsd.org Cc: freebsd-questions@freebsd.org Subject: VPN problem Hi; I've been having this problem establishing a VPN behind a FreeBSD 8-STABLE with pf. I have this scenario: home LAN ---- FBSD+pf home ---- INTERNET --- FBSD+pf work --- work LAN MPD VPN server nat rules on FBSD+pf home: nat on $ext_if from $int_if:network to any -> ($ext_if) port 1024:65535 # nat on $ext_if from any to any -> ($ext_if) port 1024:65535 obs- it makes no difference which nat rule I use. The problem persists. These are the first 5 pf rules on FBSD+pf home: # pass quick all pass quick on lo0 all # my whole home lan is free pass in quick on $int_if from $int_if:network to any #--- Allow networks to see themselves and dns pass quick from $int_if:network to $int_if:network #--- Allow vpns from anywhere to anywhere pass in quick log on $int_if proto gre from any to any keep state pass in quick log on $int_if proto tcp from any to any port pptp flags S/SA keep state On any attempt to connect to the FBSD+pf work VPN Server from home LAN, I get this (even if I uncomment pass quick all): #>mpd5 Multi-link PPP daemon for FreeBSD process 98799 started, version 5.5 (root@Papi 16:55 3-Sep-2011) CONSOLE: listening on 127.0.0.1 5005 web: listening on 127.0.0.1 5006 [B1] Bundle: Interface ng0 created [L1] [L1] Link: OPEN event [L1] LCP: Open event [L1] LCP: state change Initial --> Starting [L1] LCP: LayerStart [L1] PPTP call successful [L1] Link: UP event [L1] LCP: Up event [L1] LCP: state change Starting --> Req-Sent [L1] LCP: SendConfigReq #1 [L1] ACFCOMP [L1] PROTOCOMP [L1] ACCMAP 0x000a0000 [L1] MRU 1486 [L1] MAGICNUM 2d08ae01 [snip..] [L1] LCP: SendConfigReq #10 [L1] ACFCOMP [L1] PROTOCOMP [L1] ACCMAP 0x000a0000 [L1] MRU 1486 [L1] MAGICNUM 2d08ae01 [L1] LCP: parameter negotiation failed [L1] LCP: state change Req-Sent --> Stopped [L1] LCP: LayerFinish [L1] PPTP call terminated [L1] Link: DOWN event [L1] LCP: Close event [L1] LCP: state change Stopped --> Closed [L1] LCP: Down event [L1] LCP: state change Closed --> Initial BUT, on the 9th or 10th attempt, without touching any setting anywhere, the VPN MAY BE established. out of nothing ! Machines (Windows, Unix, whatever) behind both FBSD+pfs ALSO have the same problem when trying to close VPN tunnels to outside sites. Sometimes, opening an ssh session from my workstation to FBSD+pf work may "help" in establishing the VPN. The FBSD+pf work VPN Server is working fine. My colleagues can connect to it from their homes (NATted cable modems or 3G modems) without problems. I am the only one behind a FBSD+pf router. I installed MPD5 on FBSD+pf home, and copied mpd.conf from my home workstation to it. Without touching a single setting on mpd.conf, the VPN is established from FBSD+pf home (as a client) to FBSD+pf work WITHOUT any hiccups on EVERY SINGLE attempt! even I bring it up/down 200 times! And yet, if the FBSD+pf combo is out of the way, (i.e. no NAT!, as is the case of FBSD+pf home as a client) or if I let my cable modem do the NAT/routing, the problem is GONE!. FreeBSD work FreeBSD 8.2-STABLE #0: Mon Aug 22 14:50:42 BRT 2011 amd64 FreeBSD Home FreeBSD FreeBSD 8.2-STABLE #0: Wed May 18 16:53:26 BRT 2011 i386 Any suggestions? Thanks, -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"