[Shorewall-users] help with a W2K VPN client 619 error and PPTP server

Tom Eastep teastep at shorewall.net
Thu Sep 23 14:08:34 PDT 2004

On Thursday 23 September 2004 11:14, David Macklem wrote:
> I've got what I think is a fairly simple home network configuration with
> one Linux box functioning as the firewall, VPN server, DHCP server and
> file/print server.  I am having trouble configuring both a VPN server
> (PopTop) and the firewall rules for a W2K PPTP VPN client.  The VPN server
> runs on the firewall machine and the VPN client runs on a W2K machine
> behind the firewall.  The VPN server works fine with one configuration but
> that config prevents the VPN client from connecting through the firewall to
> a remote host.  Vice versa, with another config, the VPN client can connect
> but the VPN server doesn't work.  Here's a picture:
> When I'm in the office I want to connect to my home network:
>   W2K Laptop-->Office Network-->Internet-->My Firewall/Router/VPN
> Server-->Home Network
> When I'm at home, I want to connect to the office network:
>   Office Network<--Office VPN<--Internet<--My Firewall/Router/VPN
> Server<--Home Network<--W2K Laptop
> I've configured PPTP as per the 'basic setup' described in Tom's PPTP
> document.
> Without the PPTP shorewall configuration, I have no problem connecting my
> W2K VPN client to my office's network.  However, when I add the PPTP config
> info into the tunnels and interfaces files (as per table 1, table 2 in the
> PPTP docs), I can no longer get authenticated by my office's VPN server.
> The VPN client program running on W2K gives me the 619 error code (which,
> according to a few posts I found, is because the protocol 47, GRE, stuff is
> not getting through).
> If my tunnels and interfaces files omit any mention of ppp+ and pptpserver,
> my W2K client can connect without a problem.
> An interesting and perhaps (?) important point is that if I add the pptp
> configuration lines to the interfaces and tunnels files and then restart
> shorewall via 'shorewall restart' or 'shorewall stop; shorewall start', the
> W2K VPN client can still connect to my office's network.  However, if I
> reboot the firewall, I get the 619 error.
> As for the other direction, with the PPTP shorewall configuration added to
> those files, I can connect from my office into my home network.  Obviously,
> I'd like to be able to support both at the same time....
> I've running Mandrake 10.0, with kernel, Shorewall 2.0.8.  I've
> included the output from the ip commands as attachments as well as output
> from the shorewall status command: one from when the VPN client can
> connect, the other from when it cannot.
> This configuration seems (to me) to be pretty straightforward and I'm sure
> that lots of examples of such a configuration exist.  However, I haven't
> been able to find any postings that describe this particular problem.
> Therefore, I must be missing something pretty basic.  And, yes, I'm new to
> shorewall, so please bear that in mind :-).  I'm hoping that someone with
> more shorewall/iptables/networking knowledge can help me.   I'll be happy
> to send along any other files - just ask  :-)

I'm surprised that we haven't seen this before. Here is what I believe is 

a) The W2k client establishes it's TCP session with the PPTP server at work.
b) That server starts the LCP negotiation which results in it sending a GRE 
c) If you don't have the 'pptpserver' tunnel defined to Shorewall, your 
firewall DROPs the GRE frame. Your W2k client eventually gets around to 
sending a GRE frame of its own which is accepted by the firewall; that causes 
a connection tracking entry to be created.
d) Now subsequent GRE frames from the PPTP server match the connection 
tracking entry and are redirected to the W2k box.

If you have the pptp tunnel defined, at step (c) your firewall *ACCEPTs* the 
GRE frames. This causes a connection tracking entry to be created and now all 
GRE frames from the server are swallowed by the firewall (who is probably 
returning a "Protocol not available" ICMP or some such). When your W2k client 
finally gets around to sending GRE, a *second* connection tracking entry is 
created but it's too late (you can actually see both entries in the "denied" 
status you sent).

What to do?

a) I believe that Mandrake 10 includes the PPTP connection tracking/NAT 
extensions (see http://shorewall.net/PPTP.htm#ClientsBehind). If so, you 
might try loading the relevant modules and see if that helps.

b) If that fails then define your tunnel as follows:

pptpserver	net	!<PPTP SERVER IP>

where <PPTP SERVER IP> is the IP address of the PPTP server at your work.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

More information about the Shorewall-users mailing list