Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 4 subscribers
  • Views 23456 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pass through PPTP

SteveHart

We attempted to put our new UTM in service over the weekend and while most things worked, we had to roll back because two different VPNs failed.

The one I'm looking help with on this thread is a PPTP VPN. Traffic passes through the UTM to an internal IP. The VPN is actually terminated on that box. Other than the firewall, nothing changed on the customer's end or anywhere else. It works with our Juniper; it doesn't with the UTM.

My setup
1) Outside and inside interfaces configured.
2) Outside interface set to watch the mapped (external) IP.
3) SNAT rule natting traffic from (Internal IP) to any, Source translation: (External IP), No automatic firewall rule.
4) DNAT rules allowing PPTP, GRE and AUTH from Any to Internet [Outside IP](Address) Destination translation: (Internal IP), Automatic firewall rules on all 3.
5) Firewall policy allowing all traffic from (Internal IP) to any.

Any ideas what I'm missing?



This thread was automatically locked due to age.
Parents
  • 0
    I've found a log of the problem. Packets are being dropped. It lists "fwrule=60001". I have less than 200 firewall rules. Where do I look to find what 60001 means?
  • 0 in reply to SteveHart

    Turns out Google is my friend. It says that a 60001 is a default drop and that I likely need a NAT entry. I have three NAT entries from this outside IP to the internal IP. One allows PPTP, one allows GRE and one allows AUTH. All have automatic firewall rules. I'm researching further, but if anyone has the answer quicker feel free to chime in. :)

  • 0 in reply to SteveHart
    Please show a representative line from the full Firewall log file, not the Live Log. Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly. Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.

    Cheers - Bob
  • 0 in reply to SteveHart
    I've x'd out the MACs and IPs, but they were accurate. The srcip is our customer and the dstip is the external IP address I have natted.

    2016:02:13-13:47:17 perimeter1-1 ulogd[6042]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="x:x:x:x:x:x" dstmac="x:x:x:x:x:x" srcip="x.x.x.x" dstip="x.x.x.x" proto="47" length="84" tos="0x00" prec="0x00" ttl="123"
  • 0 in reply to SteveHart

    The DNAT rule is
    Group: None
    Position: 83
    Rule type: DNAT
    For traffic from: Any
    Using Service: PPTP
    Going To: Internet[External IP](Address)
    Change the destination to:: Fortigate (which is set in definitions as the correct internal IP)
    And the service to: (blank)
    Automatic firewall rule: Checked.
    Comment: (blank)

    There are two identical rules for GRE and AUTH.

    Outbound we have an SNAT:
    No group, position 27, SNAT
    Fortigate - > Any -> Any
    Change source to x.x.x.x (Outside IP). <-Note should this be "Internet x.x.x.x (Address)"? My other SNATs are working OK.
    Automatic firewall rule: Not checked
    Manual firewall rule: Fortigate -> Any -> Any Allowed

  • 0 in reply to SteveHart
    From another post here:

    "Go to firewall > Advanced > Connection Tracking Helpers and check PPTP and then it works."

    Is that required for my implementation?
  • 0 in reply to SteveHart
    You're correct that the packet was dropped out of the INPUT chain. This means you need to add GRE to your DNAT. In general, where I have a common Source and Destination for a traffic selector, I prefer a single rule that uses a group of services rather than a separate one for each service. I bet you could reduce the complexity of your configuration by using that technique.

    Since the PPTP tunnel doesn't terminate on the UTM, I can't imagine that the PPTP Helper would make any difference in this situation.

    Cheers - Bob
Reply
  • 0 in reply to SteveHart
    You're correct that the packet was dropped out of the INPUT chain. This means you need to add GRE to your DNAT. In general, where I have a common Source and Destination for a traffic selector, I prefer a single rule that uses a group of services rather than a separate one for each service. I bet you could reduce the complexity of your configuration by using that technique.

    Since the PPTP tunnel doesn't terminate on the UTM, I can't imagine that the PPTP Helper would make any difference in this situation.

    Cheers - Bob
Children
No Data