SuSE Linux as VPN client to a Watchguard Firebox II using PPTP protocol

SuSE Linux as VPN client to a Watchguard Firebox II using PPTP protocol

Post by Andreas Mei » Fri, 07 Sep 2001 16:00:42



Dear Linux users

One of our customers uses a Watchguard Firebox II (=>
http://www.watchguard.com/) as firewall which also serves VPN access
to the staff and branch office.

The VPN connection works without any problem with a Windows 2000 and
Windows 98 client. Now we'd like to configure a VPN client under SuSE
Linux 7.2. According to the VPN Masquerade Howto at

http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO-1.html

I tried the Linux pptp packet pptp-linux-1.0.2 which can be found at

http://www.cag.lcs.mit.edu/~cananian/Projects/PPTP/

The source code compilation and installation went without issues.

The "dial-up" itself works also correct as shown in these logs:

pppd messages from Linux:

mylinux:/home/xaver/pptp-linux-1.0.2 # ./pptp firewall.firma.ch
(unknown)[1105]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:637]:
Outgoing call established.
using channel 5
Using interface ppp0
Connect: ppp0 <--> /dev/ttya0
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x92eeae07>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x92eeae07>]
rcvd [LCP ConfReq id=0x1 <mru 338> <auth chap 81> <magic 0xb1135d0b>
<pcomp> <accomp>]
sent [LCP ConfRej id=0x1 <pcomp> <accomp>]
rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
sent [LCP ConfReq id=0x2 <magic 0x92eeae07>]
rcvd [LCP ConfReq id=0x2 <mru 338> <auth chap 81> <magic 0xb1135d0b>]
sent [LCP ConfAck id=0x2 <mru 338> <auth chap 81> <magic 0xb1135d0b>]
rcvd [LCP ConfAck id=0x2 <magic 0x92eeae07>]
sent [LCP EchoReq id=0x0 magic=0x92eeae07]
cbcp_lowerup
want: 2
rcvd [CHAP Challenge id=0x1 <f517f9ec2af3234ee6be28279060>, name =
"watchguard"]
sent [CHAP Response id=0x1
<d8c95f4934079ac8affef6ea1d60000000000000000b3cde16e1fefe797db9346daa7a0160ebdb35a24940f433e00>,
name = "Xaver"]
rcvd [LCP EchoRep id=0x0 magic=0xb1135d0b]
rcvd [CHAP Success id=0x1
"S=677893bebcf1ec2c7e0bafc3594e6a4811c43ef7"]
Remote message: S=677893bebcf1ec2c7e0bafc3594e6a4811c43ef7
sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]
sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15>]
rcvd [IPCP ConfReq id=0x1 <addr 172.20.33.101>]
sent [IPCP ConfAck id=0x1 <addr 172.20.33.101>]
rcvd [CCP ConfReq id=0x1 <mppe 1 0 0 40>]
sent [CCP ConfAck id=0x1 <mppe 1 0 0 40>]
rcvd [IPCP ConfNak id=0x1 <addr 172.17.100.3>]
sent [IPCP ConfReq id=0x2 <addr 172.17.100.3>]
rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15>]
sent [CCP ConfReq id=0x2]
rcvd [IPCP ConfAck id=0x2 <addr 172.17.100.3>]
local  IP address 172.17.100.3
remote IP address 172.20.33.101
Script /etc/ppp/ip-up started (pid 1191)
rcvd [CCP ConfAck id=0x2]
MPPE 128 bit, stateless transmit compression enabled
Script /etc/ppp/ip-up finished (pid 1191), status = 0x0

log messages on the Watchguard Firewall II box:

08/20/01 14:47  pptpd[3056]:  Watchguard pptpd 2.2.0 started
08/20/01 14:47  pptpd[3056]:  Using interface pptp2
08/20/01 14:47  kernel:  pptp2: daemon attached.
08/20/01 14:47  pptpd[3056]:  Connect: pptp2 [2] <--> 194.209.33.55
08/20/01 14:47  kernel:  GRE: out of order: as:0 seq:0 from:0xd7c4023e
08/20/01 14:47  pptpd[3056]:  User "Xaver" at 172.17.100.3 logged in
08/20/01 14:47  pptpd[3056]:  Add Host 7 172.17.100.3 pptp_vollzugriff
Xaver succeeded
08/20/01 14:47  pptpd[3056]:  local  IP address 172.20.33.101
08/20/01 14:47  pptpd[3056]:  remote IP address 172.17.100.3
08/20/01 14:47  pptpd[3056]:  Receive compression enabled
08/20/01 14:47  pptpd[3056]:  Using PPTP encryption RC4 128-bit.
08/20/01 14:47  pptpd[3056]:  Not using any PPTP software compression.
08/20/01 14:47  pptpd[3056]:  Using stateless mode.
08/20/01 14:47  pptpd[3056]:  Allowing unsafe packet transfer mode for
lossy links.

I defined the appropriate network route:

route add -net 172.16.0.0 netmask 255.240.0.0 gw 172.20.33.101

The actual problem: The connection is established but both the peers
cannot communicate over the VPN tunnel. :-(

A "ping 172.20.34.1" command (assume an internal UNIX host), i.e. VPN
client -> network I only get messages like

sent [CCP ResetReq id=0x3]
rcvd [Compressed data] 90 02 d0 c7 0d e2 91 e6 ...
sent [CCP ResetReq id=0x3]
rcvd [Compressed data] 90 03 c0 83 e4 79 64 32 ...

and the watchguard box tells

08/20/01 14:51  kernel:  pptp3: recv CCP reset request (cc_out=1,
window_resets=1, total_sent=14 total_resets=1 ouput-loss=7%)
08/20/01 14:51  kernel:  pptp3: packet loss from 194.209.33.55 (Xaver)
is over the 7% packet limit).
08/20/01 14:51  kernel:  pptp3: Switching to less secure packet
transfer mode.
08/20/01 14:51  kernel:  pptp3: packet loss from 194.209.33.55 (Xaver)
is now below loss limit of 6%).
08/20/01 14:51  kernel:  pptp3: Switching back to more secure packet
transfer mode.
08/20/01 14:51  kernel:  pptp3: recv CCP reset request (cc_out=2,
window_resets=1, total_sent=15 total_resets=2 ouput-loss=13%)
08/20/01 14:51  kernel:  pptp3: packet loss from 194.209.33.55 (Xaver)
is over the 7% packet limit).
08/20/01 14:51  kernel:  pptp3: Switching to less secure packet
transfer mode.
08/20/01 14:51  kernel:  pptp3: packet loss from 194.209.33.55 (Xaver)
is now below loss limit of 6%).
08/20/01 14:51  kernel:  pptp3: Switching back to more secure packet
transfer mode.

The opposite, a "ping 172.17.100.3" from the UNIX host to the VPN
client produces similar log messages. Linux:

rcvd [Compressed data] 90 0c b4 6d 72 a5 d0 2c ...
sent [CCP ResetReq id=0x4]
rcvd [Compressed data] 90 0d 47 f0 20 27 57 b4 ...
sent [CCP ResetReq id=0x4]

Watchguard box:

08/20/01 14:54  kernel:  pptp3: Switching to less secure packet
transfer mode.
08/20/01 14:54  kernel:  pptp3: recv CCP reset request (cc_out=11,
window_resets=1, total_sent=29 total_resets=11 ouput-loss=37%)
08/20/01 14:54  kernel:  pptp3: recv CCP reset request (cc_out=12,
window_resets=1, total_sent=30 total_resets=12 ouput-loss=40%)
08/20/01 14:54  kernel:  pptp3: recv CCP reset request (cc_out=13,
window_resets=1, total_sent=31 total_resets=13 ouput-loss=41%)

My used /etc/ppp/options file for the test:

name Xaver
ip
noipx
noipdefault
ipcp-accept-local
ipcp-accept-remote
debug
noauth
crtscts
lock
modem
nodetach
nodefaultroute
-bsdcomp
-vjccomp
-vj
-ac
-pc

I later tried the 1.0.3 version, but I still run into the same
problems... :-(

Does anybody have any experiences with VPN and PPTP under Linux? Any
answers to solve the problem are appreciated. :-)

                Andreas
--------------------------
Andreas Meile, Abt. Systementwicklung, Tel. direkt: +41 52 260 34 94
onsite solutions ag, Archstrasse 2, CH-8401 Winterthur (Switzerland)
Tel. +41 52 260 34 70 Fax +41 52 214 07 80

 
 
 

1. OpenBSD VPN with Watchguard Firebox II

Has anyone set up a VPN with OpenBSD 2.9 and a Watchguard Firebox II VPN?
Would you be willing to send your isakmpd.conf and isakmpd.policy files to
me as an example of what you did to get it running? I have tried anything
and nothing seems to work in agressive-mode. I can be reached at

Thanks
Robert

2. Tcp/ip config

3. Linux PPTP -> Watchguard firebox, LCP Timeout

4. Can't run Evolution from KDE desktop suggestions?

5. FS: WatchGuard Firebox-100

6. Nobody account: whats it for?

7. WatchGuard Firebox

8. Pennsylvania AND MICROSOFT JOIN

9. VPN Client using PPTP

10. pptp, linux and watchguard

11. vpn (pptp) client for linux - how tomake it work?

12. Trying again with my linux pptp client problem to Microsoft vpn.

13. PPTPd + pptp-client / Linux Net-2-Net VPN / Slow connection