[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

VPN client behind uncontrolled firewall

Posted on 2003-11-19
18
Medium Priority
?
5,941 Views
Last Modified: 2010-04-11
Hello,

I need to setup a VPN (PPTP) from my Win2K box (net A) to another network (net B). The problem is that the Win box is behind a very "strict" firewall in which I do not have access. I have tested the target network from a different machine (net C) and VPN is established fine, so there's no question regarding this end.

From the log files of the router on (net B), it seems that the firewall on (net A) is blocking GRE, as everything else is correctly received on (net A). Is there any work around for this? Is there a way to tunnel PPTP through another protocol?

thanks!
0
Comment
Question by:DrBrain
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 2
  • +1
18 Comments
 
LVL 35

Expert Comment

by:ShineOn
ID: 9783399
The only way to set up a PPTP tunnel is if you are not being blocked by a firewall.

If the Win2K box on NetA is behind a firewall that prohibits that traffic, then that's that.  You have to have the appropriate packet types and ports available in order to set up a PPTP tunnel.
0
 

Author Comment

by:DrBrain
ID: 9783454
ShineOn:
Isn't it possible to tunnel PPTP through another protocol that doesn't need GRE? What about different types of VPNs?

Thanks!
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9783605
>Isn't it possible to tunnel PPTP through another protocol that doesn't need GRE

As far as I know, yes indeed.  If you have full control of network B, and network A will allow outbound requests on port 80, then I think you can do it.

Cheers,
-Jon
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 
LVL 9

Expert Comment

by:drev001
ID: 9791847
No, you can't use a different port. GRE is not tcp, it's a whole protocol of it's own (IP 47) You may be able to use a different tcp port for PPTP (tcp 1723) with some reg hacks but that's not the issue here.

The firewall in front of the win2k vpn client needs to support PPTP passthrough or similar. If it's a cisco PIX firewall with an up to date IOS you can use the PPTP Fixup protocol. The restriction here I think is NAT rather than a firewall rule.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9794297
If you switch to L2TP you don't need GRE, but you need a certificate.  You have to read up on all the different IP tunnel types that are available,  GRE is required for PPTP, but not for L2TP.  The more secure you want to be on your VPN, the more imperative is obtaining and using certificates, along the lines of what is obtained from RSA.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9794312
If you HAVE to avoid the use of GRE, then you CANNOT use PPTP.
0
 
LVL 9

Accepted Solution

by:
drev001 earned 375 total points
ID: 9799313
L2TP will probably cause problems also. Although it doesn't use GRE, it's a combination of IPSEC and L2TP which means that IP Protocol 50 (ESP) would be used, and this is bound to cause a similar issue.
0
 
LVL 35

Assisted Solution

by:ShineOn
ShineOn earned 375 total points
ID: 9807135
Most VPN's I am aware of are based on either PPTP or L2TP.  I don't know of any that allow you to work around a firewall that you have no control over.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9870241
I disagree with the opinion that this is not possible.

http://www.linuxdocs.org/HOWTOs/mini/Firewall-Piercing-8.html

should give you some ideas about where to go from here (httptunnel, for example, is not necessarily linux-specific)...

Sorry you gave pts to the naysayers, but I'm not really concerned with pts, only correct answers.

Cheers,
-Jon
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9870387
Jon,

As far as the documentation available for Windows RRAS, which is the software in use here, it can't be done.   PPTP and L2TP specify particular ports and protocols and don't allow for redirection AFAIK, and I'm not aware of a way to use GRE over HTTP with an RRAS PPTP VPN.

One of the things I have been known to say is "there is always a way."  The problem with that statement is that assumes an open mind on the options.  If you narrow the scope to a particular product, that statement gets invalidated quickly.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9872787
Are you telling me that you have conclusive knowledge that there exist *no* tunnelling software for windows that creates an additional IP interface (with a corresponding IP on the other end of the tunnel)?  I hope so, because that's all you would need to get PPTP working, or any other VPN software.

If you say you have such knowledge, I won't argue any further (but I'll still be skeptical hehe)

Cheers,
-Jon
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9872826
The documentation for RAS is irrelevant, since the things I'm talking about go beyond the scope of the documentation.  The documentation assumes uninhibited IP connectivity to a remote VPN server - good tunnelling software for windows should provide that.  Here's a diagram:


      +----PPTP connection from NetA to NetB, uninhibited due to new circuit----+
      |                                                                                                         |
      +--------------New virtual circuit created by tunneling software--------------+
      |                                                                                                         |
Net A(local)----Firewall--------------------------Internet---------------------------Net B


Any reason why this won't work (other than the lack of tunnelling software that creates a true point-to-point interface)?

Cheers,
-Jon




0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9873171
AFAIK, you would have to redirect GRE to a port other than the standard GRE port, as you said should be possible.  I have not seen anywhere within RRAS that allows you to do that redirection.

It is theoretically possible to redirect any protocol to any port you want, but within the strictures of the software provided by Microsoft for the purpose, I don't see how to apply the theory.  Do you?

I did NOT say that there exists NO tunneling software for Windows that can do this.  I said that as far as I am aware, the tool for Windows supplied by Microsoft that I assumed was the subject of the day does not have that functionality.  The fault may be mine, for assuming that the PPTP VPN the questioner wanted help with was RRAS.  If you know of other VPN software for the Microsoft platform, that has these capabilities, I bow to your experience.


0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9878482
Arrrgh.  You are missing the whole point - there need be no "redirection" of any kind (unless you consider routing to be "redirection").  If you have connectivity to a remote IP (in NetB), unfettered by firewall rulesets (since the connectivity was created by the tunnel), then there is no need to play games with GRE - it will work without any strange manipulation, since there should exist an unfiltered IP circuit to the remote end by way of the tunnelling software.  As I said before, the RRAS docs are below the scope of this discussion.

>AFAIK, you would have to redirect GRE to a port other than the standard GRE port

BTW, GRE is not a port, it's a an entirely other protocol (not that that really matters for the sake of our discussion).

PPTP listens on it's default port (unless otherwise configured) in order to attempt to establish a GRE connection - I say again, there is no "GRE port".  It is an entirely seperate IP protocol (as opposed to UDP or TCP protocols like SMTP, HTTP, DNS, etc...).  It is on the same level as TCP, UDP, IPSEC, etc...

Cheers,
-Jon

0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9878581
I think it's sinking into my thick skull.

Although GRE "normally" is on a specific port, you can put it where you want, because GRE in a PPTP tunnel is not used to establish the tunnel, but is carried over the tunnel.

Is that correct?
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9885379
GRE is *not* on a specific port, since it is not port-based at all.  Please refer to

http://www.iana.org/assignments/protocol-numbers

GRE is another protocol entirely, and I'm not talking about TCP protocols (port-based, which I think is where you are encountering your confusion), but rather IP protocols.  TCP, UDP, ICMP, GRE, IPSEC, etc are all seperate IP protocols.  You may also be getting confused by the fact that most PPTP servers listen on a specific TCP port in order to negotiate the creation of the GRE connection.  That's why you can't just move your PPTP listener to a different port to get around firewall rulesets - the GRE protocol will still almost certainly be blocked by the firewall.  Note that I'm not suggesting adjusting the PPTP config in any way - there is no need to adjust the TCP port of the PPTP server - see below...

My advice suggests merely establishing a new IP circuit using software that can create such circuits (tunnels) using existing open ports on the firewall (like port 80).  Once such a circuit is established, it should similarly to a hardwired circuit (T1, leased line, etc), and thus pass *any*desired IP traffic, including such traffic necessary to establish a PPTP VPN.

So you see, the PPTP configuation need not be adjusted at all, since to the OS it appears as though there is an existing direct connection to the VPN server.

I guess what I'm saying is - create a kind of non-encrypted VPN first using some other software (like httptunnel), and then use that non-encrtypted VPN to create another VPN on top of the current non-encrypted VPN using PPTP.

Hope that was more clarifying than confusing (hehe).

Cheers,
-Jon
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9885881
You are right, I confused GRE with a TCP or UDP port-related protocol.  It is its own thing.  Sorry to add to the confusion with my confusion.
0

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question