• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1604
  • Last Modified:

Firebox 1000 VPN via PPTP - URGENT -

Hi experts,

Here's the scenario. I've got a WatchGuard FireBox 1000 setup and configured in Drop-In mode. All interfaces are configured to use 192.168.1.10.

The firebox's external port connects to a Zyxel prestige 652hw-31 router, which is configured to forward port 1723 to 192.168.1.10.

My VPN server is connected directly to the Optional port of the Firebox, and the server has the IP address 192.168.1.11.

Policy Manager is set to ALLOW PPTP to the OPTIONAL interface.

Also, in Policy Manager | Network Configuration | Advanced > I have configured 192.168.1.11 as a 'related host' on the External interface.

Still with me? OK... here's the problem:

When a remote user attempts to connect to my public IP (84.x.xx.xxx), the router apparently forwards 1723 to the Firebox correctly, and the Firebox reports that it ALLOWED the connection, via NAT:

04/04/05 14:34  kernel:  ip_masq_pptp(): Req outcall PPTP sess 212.xx.x.xxx -> 192.168.1.11 Call ID 25D7 -> 80DF.
04/04/05 14:34  kernel:  ip_masq_pptp(): Estab outcall PPTP sess 212.xx.x.xxx-> 192.168.1.11 Call ID 80DF -> 25D7.

The remote client gets all the way through to the "Verifying username and password" stage, and then can't get any further. Traffic Viewer on the Firebox then starts spitting out lines like this:

04/04/05 14:34  firewalld[118]:  deny out eth1 57 gre 20 128 192.168.1.11 192.168.1.10 (spoofed source address)
04/04/05 14:34  firewalld[118]:  deny out eth1 92 gre 20 128 192.168.1.11 192.168.1.10 (spoofed source address)
04/04/05 14:34  firewalld[118]:  deny out eth1 61 gre 20 128 192.168.1.11 192.168.1.10 (spoofed source address)

And that's the problem. So close, and yet so far? What can I do to resolve this problem?

Thanks!

OnError_Fix

0
OnError_Fix
Asked:
OnError_Fix
  • 3
  • 3
1 Solution
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Go into Policy Manager, Setup, Intrusion Prevention, Blocked Sites Exceptions and put in the IP address of the router.  I had this issue with my VPN tunnels.  Once I put in the address that was requesting the VPN and then cleared it out of the blocked list, all my VPN tunnels worked great.  For some reason though, it I didn't make it an exclusion, every time it tried to connect, I found it automatically blocked.
0
 
OnError_FixAuthor Commented:
Hi Sam,

I've done as you suggested but unfortunately that still hasn't worked. The Traffic Monitor reports that thhe incoming PPTP connection on port 1723 was permitted, and that the incoming GRE packet on port 57 was allowed, but it's NOT allowing the OUTGOING GRE/47 request at all, because it says "(spoofed source address)". The exact line is:

04/05/05 10:33  firewalld[118]:  deny out eth1 56 gre 20 128 192.168.1.11 192.168.1.10 (spoofed source address)

Could this be something to do with the NAT setup?

Thanks,

OnError_Fix
0
 
OnError_FixAuthor Commented:
Just an update:

I can fix this problem if I disable "Block Spoofing Attacks" in the Default Packet Handling section.

The log then quickly populates with:

04/05/05 11:28  firewalld[118]:  log out eth1 137 gre 20 128 192.168.1.11 192.168.1.10 (spoofed source address)

Naturally, completely disabling defenses against the spoofing attack isn't my preferred solution, so is there another way around this? Thanks.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Have you tried to put a specific rule in to allow it?
0
 
OnError_FixAuthor Commented:
In Policy Manager, the PPTP filter is enabled which has IP Protocol 47 enabled (GRE, I believe). I have set the filter to allow Incoming connections to Optional, and outgoing connections to 'Any'.

Disabling NAT on the service does not work, setting it to 'Enable' works (but still produces the spoofed source address error). Simple NAT appears NOT to work.

I tried creating a NAT mapping from 192.168.10.11 to 192.168.10.1, and vice versa, but this does not appear to make any difference.

Also, we have a wireless access point connected directly to the router, which sits on the External port. Now, clients on the wireless access point cannot tunnel through to get a VPN conection. They get stuck on 'Verifying Username and Password' too.

Yours,

The rapidly balding OnError_Fix!
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
I had made a rule that allowed Any to and From the VPN for each one of my connections.  Once I excluded the blocked address and put in the rule, it all worked peachy.  Do you have hair left.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now