Solved

VPN client behind uncontrolled firewall

Posted on 2003-11-19
18
5,904 Views
Last Modified: 2010-04-11
Hello,

I need to setup a VPN (PPTP) from my Win2K box (net A) to another network (net B). The problem is that the Win box is behind a very "strict" firewall in which I do not have access. I have tested the target network from a different machine (net C) and VPN is established fine, so there's no question regarding this end.

From the log files of the router on (net B), it seems that the firewall on (net A) is blocking GRE, as everything else is correctly received on (net A). Is there any work around for this? Is there a way to tunnel PPTP through another protocol?

thanks!
0
Comment
Question by:DrBrain
  • 8
  • 6
  • 2
  • +1
18 Comments
 
LVL 35

Expert Comment

by:ShineOn
ID: 9783399
The only way to set up a PPTP tunnel is if you are not being blocked by a firewall.

If the Win2K box on NetA is behind a firewall that prohibits that traffic, then that's that.  You have to have the appropriate packet types and ports available in order to set up a PPTP tunnel.
0
 

Author Comment

by:DrBrain
ID: 9783454
ShineOn:
Isn't it possible to tunnel PPTP through another protocol that doesn't need GRE? What about different types of VPNs?

Thanks!
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9783605
>Isn't it possible to tunnel PPTP through another protocol that doesn't need GRE

As far as I know, yes indeed.  If you have full control of network B, and network A will allow outbound requests on port 80, then I think you can do it.

Cheers,
-Jon
0
 
LVL 9

Expert Comment

by:drev001
ID: 9791847
No, you can't use a different port. GRE is not tcp, it's a whole protocol of it's own (IP 47) You may be able to use a different tcp port for PPTP (tcp 1723) with some reg hacks but that's not the issue here.

The firewall in front of the win2k vpn client needs to support PPTP passthrough or similar. If it's a cisco PIX firewall with an up to date IOS you can use the PPTP Fixup protocol. The restriction here I think is NAT rather than a firewall rule.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9794297
If you switch to L2TP you don't need GRE, but you need a certificate.  You have to read up on all the different IP tunnel types that are available,  GRE is required for PPTP, but not for L2TP.  The more secure you want to be on your VPN, the more imperative is obtaining and using certificates, along the lines of what is obtained from RSA.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9794312
If you HAVE to avoid the use of GRE, then you CANNOT use PPTP.
0
 
LVL 9

Accepted Solution

by:
drev001 earned 125 total points
ID: 9799313
L2TP will probably cause problems also. Although it doesn't use GRE, it's a combination of IPSEC and L2TP which means that IP Protocol 50 (ESP) would be used, and this is bound to cause a similar issue.
0
 
LVL 35

Assisted Solution

by:ShineOn
ShineOn earned 125 total points
ID: 9807135
Most VPN's I am aware of are based on either PPTP or L2TP.  I don't know of any that allow you to work around a firewall that you have no control over.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 16

Expert Comment

by:The--Captain
ID: 9870241
I disagree with the opinion that this is not possible.

http://www.linuxdocs.org/HOWTOs/mini/Firewall-Piercing-8.html

should give you some ideas about where to go from here (httptunnel, for example, is not necessarily linux-specific)...

Sorry you gave pts to the naysayers, but I'm not really concerned with pts, only correct answers.

Cheers,
-Jon
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9870387
Jon,

As far as the documentation available for Windows RRAS, which is the software in use here, it can't be done.   PPTP and L2TP specify particular ports and protocols and don't allow for redirection AFAIK, and I'm not aware of a way to use GRE over HTTP with an RRAS PPTP VPN.

One of the things I have been known to say is "there is always a way."  The problem with that statement is that assumes an open mind on the options.  If you narrow the scope to a particular product, that statement gets invalidated quickly.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9872787
Are you telling me that you have conclusive knowledge that there exist *no* tunnelling software for windows that creates an additional IP interface (with a corresponding IP on the other end of the tunnel)?  I hope so, because that's all you would need to get PPTP working, or any other VPN software.

If you say you have such knowledge, I won't argue any further (but I'll still be skeptical hehe)

Cheers,
-Jon
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9872826
The documentation for RAS is irrelevant, since the things I'm talking about go beyond the scope of the documentation.  The documentation assumes uninhibited IP connectivity to a remote VPN server - good tunnelling software for windows should provide that.  Here's a diagram:


      +----PPTP connection from NetA to NetB, uninhibited due to new circuit----+
      |                                                                                                         |
      +--------------New virtual circuit created by tunneling software--------------+
      |                                                                                                         |
Net A(local)----Firewall--------------------------Internet---------------------------Net B


Any reason why this won't work (other than the lack of tunnelling software that creates a true point-to-point interface)?

Cheers,
-Jon




0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9873171
AFAIK, you would have to redirect GRE to a port other than the standard GRE port, as you said should be possible.  I have not seen anywhere within RRAS that allows you to do that redirection.

It is theoretically possible to redirect any protocol to any port you want, but within the strictures of the software provided by Microsoft for the purpose, I don't see how to apply the theory.  Do you?

I did NOT say that there exists NO tunneling software for Windows that can do this.  I said that as far as I am aware, the tool for Windows supplied by Microsoft that I assumed was the subject of the day does not have that functionality.  The fault may be mine, for assuming that the PPTP VPN the questioner wanted help with was RRAS.  If you know of other VPN software for the Microsoft platform, that has these capabilities, I bow to your experience.


0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9878482
Arrrgh.  You are missing the whole point - there need be no "redirection" of any kind (unless you consider routing to be "redirection").  If you have connectivity to a remote IP (in NetB), unfettered by firewall rulesets (since the connectivity was created by the tunnel), then there is no need to play games with GRE - it will work without any strange manipulation, since there should exist an unfiltered IP circuit to the remote end by way of the tunnelling software.  As I said before, the RRAS docs are below the scope of this discussion.

>AFAIK, you would have to redirect GRE to a port other than the standard GRE port

BTW, GRE is not a port, it's a an entirely other protocol (not that that really matters for the sake of our discussion).

PPTP listens on it's default port (unless otherwise configured) in order to attempt to establish a GRE connection - I say again, there is no "GRE port".  It is an entirely seperate IP protocol (as opposed to UDP or TCP protocols like SMTP, HTTP, DNS, etc...).  It is on the same level as TCP, UDP, IPSEC, etc...

Cheers,
-Jon

0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9878581
I think it's sinking into my thick skull.

Although GRE "normally" is on a specific port, you can put it where you want, because GRE in a PPTP tunnel is not used to establish the tunnel, but is carried over the tunnel.

Is that correct?
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9885379
GRE is *not* on a specific port, since it is not port-based at all.  Please refer to

http://www.iana.org/assignments/protocol-numbers

GRE is another protocol entirely, and I'm not talking about TCP protocols (port-based, which I think is where you are encountering your confusion), but rather IP protocols.  TCP, UDP, ICMP, GRE, IPSEC, etc are all seperate IP protocols.  You may also be getting confused by the fact that most PPTP servers listen on a specific TCP port in order to negotiate the creation of the GRE connection.  That's why you can't just move your PPTP listener to a different port to get around firewall rulesets - the GRE protocol will still almost certainly be blocked by the firewall.  Note that I'm not suggesting adjusting the PPTP config in any way - there is no need to adjust the TCP port of the PPTP server - see below...

My advice suggests merely establishing a new IP circuit using software that can create such circuits (tunnels) using existing open ports on the firewall (like port 80).  Once such a circuit is established, it should similarly to a hardwired circuit (T1, leased line, etc), and thus pass *any*desired IP traffic, including such traffic necessary to establish a PPTP VPN.

So you see, the PPTP configuation need not be adjusted at all, since to the OS it appears as though there is an existing direct connection to the VPN server.

I guess what I'm saying is - create a kind of non-encrypted VPN first using some other software (like httptunnel), and then use that non-encrtypted VPN to create another VPN on top of the current non-encrypted VPN using PPTP.

Hope that was more clarifying than confusing (hehe).

Cheers,
-Jon
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9885881
You are right, I confused GRE with a TCP or UDP port-related protocol.  It is its own thing.  Sorry to add to the confusion with my confusion.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now