Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 8 replies
  • Subscribers 0 subscribers
  • Views 1403 views
  • Users 0 members are here
Options
Suggested

[8.960][MYTH] PPPoA failing to connect

x-cimo
I use the PPPoA interface type to connect to a PPTP VPN provider, which works fine in V8.

However when trying the same in UTM9 I get:

2012:05:26-00:18:50 plasmashield pppoa-sh: pptpc[7307] PPTP over Ethernet Loop Control Script activated 
2012:05:26-00:18:50 plasmashield pppoa-sh: pptpc[7307] waiting 10 seconds for mdw filter setup 
2012:05:26-00:19:05 plasmashield pppoa-sh: pptpc[7307] initiating PPTP connection 
2012:05:26-00:19:05 plasmashield pppoa-sh: pptpc[7307] waiting 10 sec for ip-up script 
2012:05:26-00:19:05 plasmashield pppd-pppoa[7358]: pppd 2.4.6 started by (unknown), uid 0
2012:05:26-00:19:05 plasmashield pppd-pppoa[7358]: Couldn't open pty slave /dev/pts/0: No such file or directory
2012:05:26-00:19:05 plasmashield pppd-pppoa[7358]: using channel 9
2012:05:26-00:19:05 plasmashield pppd-pppoa[7358]: Using interface ppp0
2012:05:26-00:19:05 plasmashield pppd-pppoa[7358]: Connect: ppp0  /dev/ttyp0
2012:05:26-00:19:06 plasmashield pppd-pppoa[7358]: sent [LCP ConfReq id=0x1     ]
2012:05:26-00:19:09 plasmashield pppd-pppoa[7358]: sent [LCP ConfReq id=0x1     ]
2012:05:26-00:19:12 plasmashield pppd-pppoa[7358]: sent [LCP ConfReq id=0x1     ]
2012:05:26-00:19:15 plasmashield pppoa-sh: pptpc[7307] looking for IP info in /var/run/pptp/eth0#REF_IntPppPptp1 
2012:05:26-00:19:15 plasmashield pppoa-sh: pptpc[7307] /var/run/pptp/eth0#REF_IntPppPptp1 not found, check ip-up script 
2012:05:26-00:19:15 plasmashield pppoa-sh: pptpc[7307] shutting down pptp connection  X.X.X.X
2012:05:26-00:19:15 plasmashield pppd-pppoa[7358]: sent [LCP ConfReq id=0x1     ]
2012:05:26-00:19:15 plasmashield pppd-pppoa[7358]: Terminating on signal 15
2012:05:26-00:19:15 plasmashield pppd-pppoa[7358]: sent [LCP TermReq id=0x2 "User request"]
2012:05:26-00:19:15 plasmashield pppd-pppoa[7358]: Child process /usr/sbin/pptp-current X.X.X.X --nolaunchpppd (pid 7359) terminated with signal 15
2012:05:26-00:19:15 plasmashield pppd-pppoa[7358]: Modem hangup
2012:05:26-00:19:15 plasmashield pppd-pppoa[7358]: Connection terminated.
2012:05:26-00:19:15 plasmashield pppoa-sh: pptpc[7307] removing UNIX domain socket /var/run/pptp/X.X.X.X 
2012:05:26-00:19:15 plasmashield pppoa-sh: pptpc[7307] verifying running processes 
2012:05:26-00:19:15 plasmashield pppd-pppoa[7358]: Exit.
2012:05:26-00:19:15 plasmashield pppoa-sh: pptpc[7307] pppd: : call REF_IntPppPptp1 ipparam eth0#REF_IntPppPptp1 failed
2012:05:26-00:19:15 plasmashield pppoa-sh: pptpc[7307] pptp: call manager or gre-gateway failed
2012:05:26-00:19:15 plasmashield pppoa-sh: pptpc[7307] one or more processes missing 
2012:05:26-00:19:15 plasmashield pppoa-sh: pptpc[7307] shutting down pptp connection  X.X.X.X
2012:05:26-00:19:20 plasmashield pppoa-sh: pptpc[7307] removing UNIX domain socket /var/run/pptp/X.X.X.X 
2012:05:26-00:19:20 plasmashield pppoa-sh: pptpc[7307] encountered 1 errors so far 
2012:05:26-00:19:20 plasmashield pppoa-sh: pptpc[7307] connection terminated after 10 sec 
2012:05:26-00:19:20 plasmashield pppoa-sh: pptpc[7307] connection terminated prematurely 
2012:05:26-00:19:20 plasmashield pppoa-sh: pptpc[7307] restarting connection in 5 sec 
2012:05:26-00
  • 0
    Just as a reference, here is the log from a working V8:


    2012:05:27-20:44:19 plasmashield pppoa-sh: pptpc[21698] PPTP over Ethernet Loop Control Script activated 
    2012:05:27-20:44:19 plasmashield pppoa-sh: pptpc[21698] waiting 10 seconds for mdw filter setup 
    2012:05:27-20:44:29 plasmashield pppoa-sh: pptpc[21698] initiating PPTP connection 
    2012:05:27-20:44:29 plasmashield pppoa-sh: pptpc[21698] waiting 10 sec for ip-up script 
    2012:05:27-20:44:29 plasmashield pppd-pppoa[21878]: pppd 2.4.5 started by (unknown), uid 0
    2012:05:27-20:44:29 plasmashield pppd-pppoa[21878]: Couldn't open pty slave /dev/pts/0: No such file or directory
    2012:05:27-20:44:29 plasmashield pppd-pppoa[21878]: using channel 7
    2012:05:27-20:44:29 plasmashield pppd-pppoa[21878]: Using interface ppp0
    2012:05:27-20:44:29 plasmashield pppd-pppoa[21878]: Connect: ppp0  /dev/ttyp0
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: sent [LCP ConfReq id=0x1     ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: rcvd [LCP ConfReq id=0x1      ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: sent [LCP ConfAck id=0x1      ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: rcvd [LCP ConfAck id=0x1     ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: sent [LCP EchoReq id=0x0 magic=0x8046f086]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: rcvd [LCP EchoReq id=0x0 magic=0x491bb849]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: sent [LCP EchoRep id=0x0 magic=0x8046f086]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: rcvd [CHAP Challenge id=0x82 , name = "pptpd"]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: sent [CHAP Response id=0x82 , name = "vjp1@vpn"]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: rcvd [LCP EchoRep id=0x0 magic=0x491bb849]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: rcvd [CHAP Success id=0x82 "S=E15AF48A711A76E741ADA49B46C09BE0318DBD3A"]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: CHAP authentication succeeded
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: sent [CCP ConfReq id=0x1 ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: rcvd [CCP ConfReq id=0x1 ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: sent [CCP ConfAck id=0x1 ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: rcvd [CCP ConfNak id=0x1 ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: sent [CCP ConfReq id=0x2 ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: rcvd [CCP ConfAck id=0x2 ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: MPPE 128-bit stateless compression enabled
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: sent [IPCP ConfReq id=0x1    ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: rcvd [IPCP ConfReq id=0x1  ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: sent [IPCP ConfAck id=0x1  ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: rcvd [IPCP ConfNak id=0x1   ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: sent [IPCP ConfReq id=0x2    ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: rcvd [IPCP ConfAck id=0x2    ]
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: local IP address Z.Z.Z.Z
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: remote IP address X.X.X.X
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: primary DNS address Y.Y.Y.Y
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: secondary DNS address A.A.A.A
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: Script /etc/ppp/ip-up started (pid 21886)
    2012:05:27-20:44:30 plasmashield pppd-pppoa[21878]: Script /etc/ppp/ip-up finished (pid 21886), status = 0x0
    2012:05:27-20:44:39 plasmashield pppoa-sh: pptpc[21698] looking for IP info in /var/run/pptp/eth3#REF_IntPppUstunnel 
    2012:05:27-20:44:39 plasmashield pppoa-sh: pptpc[21698] ppp assigned IP  TTY:
    2012:05:27-20:44:39 plasmashield pppoa-sh: pptpc[21698] pptp (PID 21875) startup successful 
    2012:05:27-20:44:39 plasmashield pppoa-sh: pptpc[21698] verifying running processes 
    2012:05:27-20:44:39 plasmashield pppoa-sh: pptpc[21698] process checking successful 
  • 0 in reply to x-cimo
    Can this be marked as OPEN instead of BUG. Sorry about this.
  • 0
    Connection to a VPN provider is not official supported by UTM.

    If you want something like this running:
     a) ensure there are packetfilter rules allowing PPTP traffic from the ASG to the VPN provider,
        e.g. use WAN Address Object as source in PF rule
     b) ensure there are static or policy rules, always routing the VPN traffic over the WAN interface

    Cheers
     Ulrich
  • 0 in reply to da_merlin
    The UTM9 is setup such as:

    Firewall: One entry:  Any -> Any -> Any (unsecured)
    Policy routing such as any traffic going to VPN provider go over WAN.

    Both of theses recommendations are already in place, just like they are on the V8 machine.

    Therefore, I ask for the case to be re-opened.
  • 0 in reply to da_merlin


        e.g. use WAN Address Object as source in PF rule


    As I wrote, use the Interface Address Object, ANY wont help here!
  • 0 in reply to da_merlin
    I will try that out tonight, and report back.

    Thanks
  • 0
    Normally there is no need to create PF rules for traffic in and out the ASG (iptables INPUT/OUTPUT).
    So for security reasons, if you create an ANY ANY rule, these rules are NOT installed in INPUT/OUTPUT, but only in FORWARD chaing.
  • 0 in reply to da_merlin
    Thanks you.

    It's working now in UTM9. So this is not a bug.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?