[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: SOLVED! Solaris 10 pptp/gre behind NAT
From: Gabriele Bulfon <gbulfon () sonicle ! com>
Date: 2010-11-12 8:32:37
Message-ID: 17817_1289551303_4CDCFDC6_17817_7526_1_5209026.353.1289550757979.JavaMail.root () www
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Worked like a charm!
Just update your Solaris 10 05/08 (or any, I suggest) by rebuilding sources and replacing
original ipfilter ;)
http://192.9.162.102/thread.jspa?threadID=5339408
-= Mail sent through WebTop2 =-
Da:
Gabriele Bulfon
A:
ipfilter@coombs.anu.edu.au
Data:
11 novembre 2010 13.02.40 CET
Oggetto:
Re: Confused by pptp and gre, what is the true way to do it?
After tricking with rules (modified the pass out / pass in of gre as "from any to any") now
I can see reply gre packet going out of the win machine, go through the firewall and out
of the wan to the remote machine.
Authentication fails anyway (it goes perfectly when not passint through ipfilter, both when
directly public or when passing through a zywall, but...I want it to go through ipfilter!)
How can I see if the packets are correctly masquerated?
Here are the two snoops:
-LAN interface-
remoteserverip -winlanip TCP D=4472 S=1723 Syn Ack=3520565303 Seq=1081340933 Len=0 Win=5840 Options=
remoteserverip -winlanip TCP D=4472 S=1723 Ack=3520565459 Seq=1081340934 Len=0 Win=5840
remoteserverip -winlanip TCP D=4472 S=1723 Push Ack=3520565459 Seq=1081340934 Len=156 Win=5840
remoteserverip -winlanip TCP D=4472 S=1723 Push Ack=3520565627 Seq=1081341090 Len=32 Win=6432
remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49052, TOS=0x0, TTL=52
remoteserverip -winlanip TCP D=4472 S=1723 Ack=3520565651 Seq=1081341122 Len=0 Win=6432
remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49053, TOS=0x0, TTL=52
remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49054, TOS=0x0, TTL=52
remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49055, TOS=0x0, TTL=52
remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49056, TOS=0x0, TTL=52
remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49057, TOS=0x0, TTL=52
remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49058, TOS=0x0, TTL=52
remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49059, TOS=0x0, TTL=52
remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49060, TOS=0x0, TTL=52
remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49061, TOS=0x0, TTL=52
remoteserverip -winlanip TCP D=4472 S=1723 Fin Ack=3520565651 Seq=1081341122 Len=0 Win=6432
remoteserverip -winlanip TCP D=4472 S=1723 Ack=3520565652 Seq=1081341123 Len=0 Win=6432
-WAN interface-
wanip -remoteserverip TCP D=1723 S=19463 Syn Seq=3520565302 Len=0 Win=64240 Options=
remoteserverip -wanip TCP D=19463 S=1723 Syn Ack=3520565303 Seq=1081340933 Len=0 Win=5840 Options=
wanip -remoteserverip TCP D=1723 S=19463 Ack=1081340934 Seq=3520565303 Len=0 Win=64240
wanip -remoteserverip TCP D=1723 S=19463 Push Ack=1081340934 Seq=3520565303 Len=156 Win=64240
remoteserverip -wanip TCP D=19463 S=1723 Ack=3520565459 Seq=1081340934 Len=0 Win=5840
remoteserverip -wanip TCP D=19463 S=1723 Push Ack=3520565459 Seq=1081340934 Len=156 Win=5840
wanip -remoteserverip TCP D=1723 S=19463 Push Ack=1081341090 Seq=3520565459 Len=168 Win=64084
remoteserverip -wanip TCP D=19463 S=1723 Push Ack=3520565627 Seq=1081341090 Len=32 Win=6432
remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49052, TOS=0x0, TTL=53
wanip -remoteserverip TCP D=1723 S=19463 Push Ack=1081341122 Seq=3520565627 Len=24 Win=64052
wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=25178, TOS=0x0, TTL=127
remoteserverip -wanip TCP D=19463 S=1723 Ack=3520565651 Seq=1081341122 Len=0 Win=6432
wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=20698, TOS=0x0, TTL=127
remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49053, TOS=0x0, TTL=53
wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=29457, TOS=0x0, TTL=127
remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49054, TOS=0x0, TTL=53
wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=9153, TOS=0x0, TTL=127
remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49055, TOS=0x0, TTL=53
remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49056, TOS=0x0, TTL=53
wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=1984, TOS=0x0, TTL=127
remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49057, TOS=0x0, TTL=53
wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=671, TOS=0x0, TTL=127
remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49058, TOS=0x0, TTL=53
wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=14495, TOS=0x0, TTL=127
remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49059, TOS=0x0, TTL=53
wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=19126, TOS=0x0, TTL=127
remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49060, TOS=0x0, TTL=53
remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49061, TOS=0x0, TTL=53
wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=5577, TOS=0x0, TTL=127
remoteserverip -wanip TCP D=19463 S=1723 Fin Ack=3520565651 Seq=1081341122 Len=0 Win=6432
wanip -remoteserverip TCP D=1723 S=19463 Fin Ack=1081341123 Seq=3520565651 Len=0 Win=64052
remoteserverip -wanip TCP D=19463 S=1723 Ack=3520565652 Seq=1081341123 Len=0 Win=6432
-= Mail sent through WebTop2 =-
Da:
Gabriele Bulfon
A:
ipfilter@coombs.anu.edu.au
Data:
11 novembre 2010 12.17.55 CET
Oggetto:
Re: Confused by pptp and gre, what is the true way to do it?
Hello, I investigated further the problem.
Using 2 snoops, one on each ethernet card (public and private), I can see traffic on 1732 started
by my internal win machine, the I can see the reply on that port coming to my wan, then to my lan
up to the win machine.
After, I just can see packets coming from the remote machine (stated as IP, but probably gre),
getting into the firewall and going into the lan up to the win machine.
No packet is going from the win machine on any destination.
Maybe the gre traffic is not correctly natted? Does ipfilter do masquerading on gre?
Gabriele.
-= Mail sent through WebTop2 =-
Da:
Gabriele Bulfon
A:
ipfilter@coombs.anu.edu.au
Data:
10 novembre 2010 17.02.22 CET
Oggetto:
Confused by pptp and gre, what is the true way to do it?
Hello, I've read around about how to make windows pptp vpn work behind ipfilter, but I've seen
a lot of confusion...(to me, at least).
My windows machine is in the LAN, passing through a solaris machine with ipfilter 4.1.9.
What are the general rules to let Windows pass the NAT and run the handshake?
Some talks about proxy / pptp rules mappings, some talks about just opening the ports...
I tried this but it doesn't work:
ipnat:
#NAT rules
map igb1 mylan/24 -mypubip/32 proxy port ftp ftp/tcp
map igb1 mylan/24 -mypubip/32 portmap tcp/udp 10000:40000
map igb1 mylan/24 -mypubip/32
#redirect gre to my windows machine
rdr igb1 mypubip/32 -winlanip gre
ipf:
#NAT windows machine
pass out quick on igb1 from mywinip/32 to any keep state
#Let gre enter the firewall
pass in quick on igb1 proto gre from any to mypubip/32
#Let gre pass the rdr
pass in quick on igb1 proto gre from any to winlanip/32
-= Mail sent through WebTop2 =-
[Attachment #5 (text/html)]
<div style="font-family: Verdana; font-size: 12px;">Worked like a charm!<br>Just \
update your Solaris 10 05/08 (or any, I suggest) by rebuilding sources and \
replacing<br>original ipfilter \
;)<br><br>http://192.9.162.102/thread.jspa?threadID=5339408<br><div><br><font \
size="1"> -= Mail sent through WebTop2 =-</font> \
</div><br><hr><br><br><font face="Arial, Helvetica, sans-serif" size="2"><b>Da:</b> \
Gabriele Bulfon <gbulfon@sonicle.com><br><b>A:</b> ipfilter@coombs.anu.edu.au \
<br><b>Data:</b> 11 novembre 2010 13.02.40 CET<br><b>Oggetto:</b> Re: Confused by \
pptp and gre, what is the true way to do it?<br></font><br><br><blockquote \
style="border-left: 2px solid rgb(0, 0, 128); margin-left: 5px; padding-left: \
5px;"><div style="font-family: Verdana; font-size: 12px;">After tricking with rules \
(modified the pass out / pass in of gre as "from any to any") now<br>I can \
see reply gre packet going out of the win machine, go through the firewall and \
out<br>of the wan to the remote machine.<br>Authentication fails anyway (it goes \
perfectly when not passint through ipfilter, both when<br>directly public or when \
passing through a zywall, but...I want it to go through ipfilter!)<br><br>How can I \
see if the packets are correctly masquerated?<br>Here are the two \
snoops:<br><br><font face="courier new">-LAN interface-<br>remoteserverip -> \
winlanip TCP D=4472 S=1723 Syn Ack=3520565303 Seq=1081340933 Len=0 Win=5840 \
Options=<mss 1460,nop,nop,sackOK><br>remoteserverip -> winlanip TCP D=4472 \
S=1723 Ack=3520565459 Seq=1081340934 Len=0 Win=5840<br>remoteserverip -> winlanip \
TCP D=4472 S=1723 Push Ack=3520565459 Seq=1081340934 Len=156 \
Win=5840<br>remoteserverip -> winlanip TCP D=4472 S=1723 Push Ack=3520565627 \
Seq=1081341090 Len=32 Win=6432<br>remoteserverip -> winlanip IP D=winlanip \
S=remoteserverip LEN=61, ID=49052, TOS=0x0, TTL=52<br>remoteserverip -> winlanip \
TCP D=4472 S=1723 Ack=3520565651 Seq=1081341122 Len=0 Win=6432<br>remoteserverip \
-> winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49053, TOS=0x0, \
TTL=52<br>remoteserverip -> winlanip IP D=winlanip S=remoteserverip LEN=61, \
ID=49054, TOS=0x0, TTL=52<br>remoteserverip -> winlanip IP D=winlanip \
S=remoteserverip LEN=61, ID=49055, TOS=0x0, TTL=52<br>remoteserverip -> winlanip \
IP D=winlanip S=remoteserverip LEN=61, ID=49056, TOS=0x0, TTL=52<br>remoteserverip \
-> winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49057, TOS=0x0, \
TTL=52<br>remoteserverip -> winlanip IP D=winlanip S=remoteserverip LEN=61, \
ID=49058, TOS=0x0, TTL=52<br>remoteserverip -> winlanip IP D=winlanip \
S=remoteserverip LEN=61, ID=49059, TOS=0x0, TTL=52<br>remoteserverip -> winlanip \
IP D=winlanip S=remoteserverip LEN=61, ID=49060, TOS=0x0, TTL=52<br>remoteserverip \
-> winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49061, TOS=0x0, \
TTL=52<br>remoteserverip -> winlanip TCP D=4472 S=1723 Fin Ack=3520565651 \
Seq=1081341122 Len=0 Win=6432<br>remoteserverip -> winlanip TCP D=4472 S=1723 \
Ack=3520565652 Seq=1081341123 Len=0 Win=6432<br></font><br><font face="courier \
new">-WAN interface-<br> wanip -> remoteserverip TCP D=1723 S=19463 Syn \
Seq=3520565302 Len=0 Win=64240 Options=<mss \
1460,nop,nop,sackOK><br>remoteserverip -> wanip TCP D=19463 S=1723 Syn \
Ack=3520565303 Seq=1081340933 Len=0 Win=5840 Options=<mss \
1460,nop,nop,sackOK><br> wanip -> remoteserverip TCP D=1723 S=19463 \
Ack=1081340934 Seq=3520565303 Len=0 Win=64240<br> wanip -> remoteserverip TCP \
D=1723 S=19463 Push Ack=1081340934 Seq=3520565303 Len=156 Win=64240<br>remoteserverip \
-> wanip TCP D=19463 S=1723 Ack=3520565459 Seq=1081340934 Len=0 \
Win=5840<br>remoteserverip -> wanip TCP D=19463 S=1723 Push Ack=3520565459 \
Seq=1081340934 Len=156 Win=5840<br> wanip -> remoteserverip TCP D=1723 S=19463 \
Push Ack=1081341090 Seq=3520565459 Len=168 Win=64084<br>remoteserverip -> wanip \
TCP D=19463 S=1723 Push Ack=3520565627 Seq=1081341090 Len=32 \
Win=6432<br>remoteserverip -> wanip IP D=wanip S=remoteserverip LEN=61, \
ID=49052, TOS=0x0, TTL=53<br> wanip -> remoteserverip TCP D=1723 S=19463 Push \
Ack=1081341122 Seq=3520565627 Len=24 Win=64052<br> wanip -> remoteserverip IP \
D=remoteserverip S=wanip LEN=57, ID=25178, TOS=0x0, TTL=127<br>remoteserverip -> \
wanip TCP D=19463 S=1723 Ack=3520565651 Seq=1081341122 Len=0 Win=6432<br> \
wanip -> remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=20698, TOS=0x0, \
TTL=127<br>remoteserverip -> wanip IP D=wanip S=remoteserverip LEN=61, \
ID=49053, TOS=0x0, TTL=53<br> wanip -> remoteserverip IP D=remoteserverip \
S=wanip LEN=57, ID=29457, TOS=0x0, TTL=127<br>remoteserverip -> wanip IP \
D=wanip S=remoteserverip LEN=61, ID=49054, TOS=0x0, TTL=53<br> wanip -> \
remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=9153, TOS=0x0, \
TTL=127<br>remoteserverip -> wanip IP D=wanip S=remoteserverip LEN=61, \
ID=49055, TOS=0x0, TTL=53<br>remoteserverip -> wanip IP D=wanip \
S=remoteserverip LEN=61, ID=49056, TOS=0x0, TTL=53<br> wanip -> remoteserverip \
IP D=remoteserverip S=wanip LEN=57, ID=1984, TOS=0x0, TTL=127<br>remoteserverip \
-> wanip IP D=wanip S=remoteserverip LEN=61, ID=49057, TOS=0x0, TTL=53<br> \
wanip -> remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=671, TOS=0x0, \
TTL=127<br>remoteserverip -> wanip IP D=wanip S=remoteserverip LEN=61, \
ID=49058, TOS=0x0, TTL=53<br> wanip -> remoteserverip IP D=remoteserverip \
S=wanip LEN=57, ID=14495, TOS=0x0, TTL=127<br>remoteserverip -> wanip IP \
D=wanip S=remoteserverip LEN=61, ID=49059, TOS=0x0, TTL=53<br> wanip -> \
remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=19126, TOS=0x0, \
TTL=127<br>remoteserverip -> wanip IP D=wanip S=remoteserverip LEN=61, \
ID=49060, TOS=0x0, TTL=53<br>remoteserverip -> wanip IP D=wanip \
S=remoteserverip LEN=61, ID=49061, TOS=0x0, TTL=53<br> wanip -> remoteserverip \
IP D=remoteserverip S=wanip LEN=57, ID=5577, TOS=0x0, TTL=127<br>remoteserverip \
-> wanip TCP D=19463 S=1723 Fin Ack=3520565651 Seq=1081341122 Len=0 \
Win=6432<br> wanip -> remoteserverip TCP D=1723 S=19463 Fin Ack=1081341123 \
Seq=3520565651 Len=0 Win=64052<br>remoteserverip -> wanip TCP D=19463 S=1723 \
Ack=3520565652 Seq=1081341123 Len=0 Win=6432<br></font><br><div><br><font size="1"> \
-= Mail sent through WebTop2 =-</font> </div><br><hr><br><br><font face="Arial, \
Helvetica, sans-serif" size="2"><b>Da:</b> Gabriele Bulfon \
<gbulfon@sonicle.com><br><b>A:</b> ipfilter@coombs.anu.edu.au <br><b>Data:</b> \
11 novembre 2010 12.17.55 CET<br><b>Oggetto:</b> Re: Confused by pptp and gre, what \
is the true way to do it?<br></font><br><br><blockquote style="border-left: 2px solid \
rgb(0, 0, 128); margin-left: 5px; padding-left: 5px;"><div style="font-family: \
Verdana; font-size: 12px;">Hello, I investigated further the problem.<br>Using 2 \
snoops, one on each ethernet card (public and private), I can see traffic on 1732 \
started<br>by my internal win machine, the I can see the reply on that port coming to \
my wan, then to my lan<br>up to the win machine.<br>After, I just can see packets \
coming from the remote machine (stated as IP, but probably gre),<br>getting into the \
firewall and going into the lan up to the win machine.<br>No packet is going from the \
win machine on any destination.<br>Maybe the gre traffic is not correctly natted? \
Does ipfilter do masquerading on gre?<br><br><br>Gabriele.<br><div><br><font \
size="1"> -= Mail sent through WebTop2 =-</font> \
</div><br><hr><br><br><font face="Arial, Helvetica, sans-serif" size="2"><b>Da:</b> \
Gabriele Bulfon <gbulfon@sonicle.com><br><b>A:</b> ipfilter@coombs.anu.edu.au \
<br><b>Data:</b> 10 novembre 2010 17.02.22 CET<br><b>Oggetto:</b> Confused by pptp \
and gre, what is the true way to do it?<br></font><br><br><blockquote \
style="border-left: 2px solid rgb(0, 0, 128); margin-left: 5px; padding-left: \
5px;"><div style="font-family: Verdana; font-size: 12px;">Hello, I've read around \
about how to make windows pptp vpn work behind ipfilter, but I've seen<br>a lot \
of confusion...(to me, at least).<br><br>My windows machine is in the LAN, passing \
through a solaris machine with ipfilter 4.1.9.<br>What are the general rules to let \
Windows pass the NAT and run the handshake?<br>Some talks about proxy / pptp rules \
mappings, some talks about just opening the ports...<br><br>I tried this but it \
doesn't work:<br><br>ipnat:<br><br>#NAT rules<br>map igb1 mylan/24 -> \
mypubip/32 proxy port ftp ftp/tcp<br>map igb1 mylan/24 -> mypubip/32 portmap \
tcp/udp 10000:40000<br>map igb1 mylan/24 -> mypubip/32<br>#redirect gre to my \
windows machine<br>rdr igb1 mypubip/32 -> winlanip gre<br><br>ipf:<br>#NAT windows \
machine<br>pass out quick on igb1 from mywinip/32 to any keep state<br>#Let gre enter \
the firewall<br>pass in quick on igb1 proto gre from any to mypubip/32<br>#Let gre \
pass the rdr<br>pass in quick on igb1 proto gre from any to \
winlanip/32<br><div><br><font size="1"> -= Mail sent through WebTop2 \
=-</font> </div></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic