pptp multiple clients behind iptables nat

saf · 03-10-2007, 01:01 PM

Hello

I know this has been discussed before (I've read the topic on the forum concerning this), but no conclusions were drawn. Furthermore, those threads are pretty old. So here it goes:
- Public IP Windows PPTP VPN server(s)
- Clients behind NAT - Slackware 11.0, Kernel 2.6.20, IPtables 1.3.7
=> only one connection at a time working (the second one halts on "Verifying username and password")
- to enable the first connection I modprobe'd: nf_conntrack_pptp, nf_conntrack_proto_gre, nf_nat_pptp, nf_nat_proto_gre

Is there a solutions to this?

Thanks in advance for any ideas you might have.

peter_robb · 03-12-2007, 02:22 PM

It's working for me in pptpd ver 1.3
however it's in a custom kernel.

Which ver are you using and which patches?

saf · 03-12-2007, 02:29 PM

It's not about pptpd, since the clients and the server are both windowses, nevertheless it's still pptp traffic (i.e. tcp 1723, proto 50 <esp> and proto 51 <ah>)
The kernel built from sources. I was thinking that, since one connection passes through and the nat and conntrack helpers are loaded for pptp and gre, it should work.
These protocols are not explicitly nat-ed, but the main nat line is

Code:

$c -t nat -A POSTROUTING -s $intlan -o $extif -j SNAT --to-source $extip

Furthermore, those protocols/ports are allowed in the FORWARD section.

peter_robb · 03-19-2007, 07:01 AM

The earlier module versions didn't handle NATting multiple streams, but since patch-o-matic-ng I have had no problems. There are 4 modules to load.

proto 47 is gre which is necessary for pptp
Protos 50 & 51 are for ipsec

danielhilst · 08-06-2012, 02:43 PM

Hi, I have the exactly the same issue that saf. Two windows clients running behind
an iptables NAT. One can connect per time.. Loading the follow modules solves the problem

Code:

modprobe ip_nat_pptp       
modprobe ip_conntrack_pptp 
modprobe ip_gre

Best regards,