?
Solved

Firebox 1000 VPN via PPTP - URGENT -

Posted on 2005-04-04
6
Medium Priority
?
1,602 Views
Last Modified: 2013-11-16
Hi experts,

Here's the scenario. I've got a WatchGuard FireBox 1000 setup and configured in Drop-In mode. All interfaces are configured to use 192.168.1.10.

The firebox's external port connects to a Zyxel prestige 652hw-31 router, which is configured to forward port 1723 to 192.168.1.10.

My VPN server is connected directly to the Optional port of the Firebox, and the server has the IP address 192.168.1.11.

Policy Manager is set to ALLOW PPTP to the OPTIONAL interface.

Also, in Policy Manager | Network Configuration | Advanced > I have configured 192.168.1.11 as a 'related host' on the External interface.

Still with me? OK... here's the problem:

When a remote user attempts to connect to my public IP (84.x.xx.xxx), the router apparently forwards 1723 to the Firebox correctly, and the Firebox reports that it ALLOWED the connection, via NAT:

04/04/05 14:34  kernel:  ip_masq_pptp(): Req outcall PPTP sess 212.xx.x.xxx -> 192.168.1.11 Call ID 25D7 -> 80DF.
04/04/05 14:34  kernel:  ip_masq_pptp(): Estab outcall PPTP sess 212.xx.x.xxx-> 192.168.1.11 Call ID 80DF -> 25D7.

The remote client gets all the way through to the "Verifying username and password" stage, and then can't get any further. Traffic Viewer on the Firebox then starts spitting out lines like this:

04/04/05 14:34  firewalld[118]:  deny out eth1 57 gre 20 128 192.168.1.11 192.168.1.10 (spoofed source address)
04/04/05 14:34  firewalld[118]:  deny out eth1 92 gre 20 128 192.168.1.11 192.168.1.10 (spoofed source address)
04/04/05 14:34  firewalld[118]:  deny out eth1 61 gre 20 128 192.168.1.11 192.168.1.10 (spoofed source address)

And that's the problem. So close, and yet so far? What can I do to resolve this problem?

Thanks!

OnError_Fix

0
Comment
Question by:OnError_Fix
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 16

Expert Comment

by:samccarthy
ID: 13701862
Go into Policy Manager, Setup, Intrusion Prevention, Blocked Sites Exceptions and put in the IP address of the router.  I had this issue with my VPN tunnels.  Once I put in the address that was requesting the VPN and then cleared it out of the blocked list, all my VPN tunnels worked great.  For some reason though, it I didn't make it an exclusion, every time it tried to connect, I found it automatically blocked.
0
 

Author Comment

by:OnError_Fix
ID: 13705226
Hi Sam,

I've done as you suggested but unfortunately that still hasn't worked. The Traffic Monitor reports that thhe incoming PPTP connection on port 1723 was permitted, and that the incoming GRE packet on port 57 was allowed, but it's NOT allowing the OUTGOING GRE/47 request at all, because it says "(spoofed source address)". The exact line is:

04/05/05 10:33  firewalld[118]:  deny out eth1 56 gre 20 128 192.168.1.11 192.168.1.10 (spoofed source address)

Could this be something to do with the NAT setup?

Thanks,

OnError_Fix
0
 

Author Comment

by:OnError_Fix
ID: 13705510
Just an update:

I can fix this problem if I disable "Block Spoofing Attacks" in the Default Packet Handling section.

The log then quickly populates with:

04/05/05 11:28  firewalld[118]:  log out eth1 137 gre 20 128 192.168.1.11 192.168.1.10 (spoofed source address)

Naturally, completely disabling defenses against the spoofing attack isn't my preferred solution, so is there another way around this? Thanks.
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 16

Expert Comment

by:samccarthy
ID: 13707085
Have you tried to put a specific rule in to allow it?
0
 

Author Comment

by:OnError_Fix
ID: 13707136
In Policy Manager, the PPTP filter is enabled which has IP Protocol 47 enabled (GRE, I believe). I have set the filter to allow Incoming connections to Optional, and outgoing connections to 'Any'.

Disabling NAT on the service does not work, setting it to 'Enable' works (but still produces the spoofed source address error). Simple NAT appears NOT to work.

I tried creating a NAT mapping from 192.168.10.11 to 192.168.10.1, and vice versa, but this does not appear to make any difference.

Also, we have a wireless access point connected directly to the router, which sits on the External port. Now, clients on the wireless access point cannot tunnel through to get a VPN conection. They get stuck on 'Verifying Username and Password' too.

Yours,

The rapidly balding OnError_Fix!
0
 
LVL 16

Accepted Solution

by:
samccarthy earned 2000 total points
ID: 13748265
I had made a rule that allowed Any to and From the VPN for each one of my connections.  Once I excluded the blocked address and put in the rule, it all worked peachy.  Do you have hair left.
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question