Solution: ip-up fails to restart SuSEfirewall2 properly during PPTPD initialization
I found the below post and similar posts on other linux boards and newsgroups. These people are running SuSE 9.2, PPTPD (the PoPToP Windows VPN server), and SuSEfirewall2 on the same server machine. I ran into this same exact issue. I'm not sure if it's specific to SuSE 9.2 or not. But nobody ever posted a solution to this issue on any of the message boards. After tinkering with the issue for a couple hours, I discoverd what was creating the problem. I figured I'd post it here.
A breif explanation of the issue:
PPTPD and SuSEfirewall2 are both up and running properly. When a VPN client establishes a connection with PPTPD, /etc/ppp/ip-up must bring up ppp0 for use as the VPN client's connection. It must also restart the SuSEfirewall2 script to refresh the active adapter connections that the firewall needs to filter traffic for.
The problem:
As soon as a VPN client establishes a connection, it authenticates properly, but it only remains connected for about 10 seconds, and then the server closes the connection. If you check /var/log/messages you'll see something like this:
Oct 22 06:23:18 junker pppd[3368]: pppd 2.4.2 started by root, uid 0
Oct 22 06:23:18 junker pppd[3368]: Using interface ppp0
Oct 22 06:23:18 junker pppd[3368]: Connect: ppp0 <--> /dev/pts/1
Oct 22 06:23:18 junker pptpd[3367]: CTRL: Received PPTP Control Message (type: 15)
Oct 22 06:23:18 junker pptpd[3367]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Oct 22 06:23:18 junker pppd[3368]: MPPE 128-bit stateless compression enabled
Oct 22 06:23:20 junker pppd[3368]: found interface eth1 for proxy arp
Oct 22 06:23:20 junker pppd[3368]: local IP address 192.168.1.27
Oct 22 06:23:20 junker pppd[3368]: remote IP address 192.168.1.100
Oct 22 06:23:20 junker kernel: SFW2-IN-ILL-TARGET IN=ppp0 OUT= MAC= SRC=192.168.1.100 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=55971 PROTO=UDP SPT=68 DPT=67 LEN=308
Oct 22 06:23:20 junker pppd[3368]: Script /etc/ppp/ip-up finished (pid 3390), status = 0x0
Oct 22 06:23:20 junker kernel: SFW2-IN-ILL-TARGET IN=ppp0 OUT= MAC= SRC=192.168.1.100 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=55974 PROTO=UDP SPT=137 DPT=137 LEN=76
Oct 22 06:23:21 junker kernel: SFW2-IN-ILL-TARGET IN=ppp0 OUT= MAC= SRC=192.168.1.100 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=55977 PROTO=UDP SPT=137 DPT=137 LEN=76
Oct 22 06:23:22 junker kernel: SFW2-IN-ILL-TARGET IN=ppp0 OUT= MAC= SRC=192.168.1.100 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=55981 PROTO=UDP SPT=137 DPT=137 LEN=76
Oct 22 06:23:23 junker kernel: SFW2-IN-ILL-TARGET IN=ppp0 OUT= MAC= SRC=192.168.1.100 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=55983 PROTO=UDP SPT=137 DPT=137 LEN=76
Oct 22 06:23:34 junker pptpd[3367]: Error writing GRE packet: Operation not permitted
Oct 22 06:23:34 junker pptpd[3367]: CTRL: GRE read or PTY write failed (gre,pty)=(6,5)
Oct 22 06:23:34 junker pppd[3368]: Modem hangup
Oct 22 06:23:34 junker pptpd[3367]: CTRL: Client 65.33.236.36 control connection finished
Oct 22 06:23:34 junker pptpd[3367]: CTRL: Exiting now
Oct 22 06:23:34 junker pptpd[3681]: MGR: Reaped child 3367
Oct 22 06:23:34 junker pppd[3368]: MPPE disabled
Oct 22 06:23:34 junker pppd[3368]: Connection terminated.
Some other people had suggested that the problem might be that SuSEfirewall2 is starting to late, and that he currently loaded firewall rules are blocking this connection. This is not true. If you open /etc/ppp/ip-up and comment out the start_firewall of the ip-up function with #, as such:
case "$BASENAME" in
ip-up)
add_nameservers
# ip_resend hook
test "$IP_RESEND" = "yes" -a -x /usr/sbin/ip_resend_wakeup && \
/usr/sbin/ip_resend_wakeup -m $LOCALIP -o $INTERFACE
# start_firewall
run_poll_tcpip
# call ip-up.local if it exists and is executable:
if test -x /etc/ppp/ip-up.local ; then
/etc/ppp/ip-up.local "$@" | logger -p security.notice -t ip-up.local > /dev/null &
fi
# run additional scripts if they exist
if [ -d /etc/ppp/ip-up.d ]; then
for SCRIPT in /etc/ppp/ip-up.d/*; do
[ -d $SCRIPT -o ! -x $SCRIPT ] && continue;
# ignore backup files and leftovers from rpm
case $SCRIPT in
*.rpmsave|*.rpmnew|*rpmorig|*~) continue ;;
esac
$SCRIPT "$@" | logger -p security.notice -t $SCRIPT > /dev/null &
done
fi
#run_ifup
;;
...then the VPN connection will not drop, but the firewall will actually silently block/drop all packets associated with the VPN client connection (ppp0). So, it becomes a usless connection. Now that the connection is established, if the root user on the server runs:
/sbin/SuSEfirewall2 start
The firewall gets refreshed and is now aware of the ppp0 VPN client connection. Now everything works. So how can we have server do this automatically? ip-up will look for a file named ip-up.local to execute additional commands from. If you look at the above code, you'l see a section:
# call ip-up.local if it exists and is executable:
if test -x /etc/ppp/ip-up.local ; then
/etc/ppp/ip-up.local "$@" | logger -p security.notice -t ip-up.local > /dev/null &
fi
The /etc/ppp/ip-up.local script isn't created by default, so just create it:
"pico /etc/ppp/ip-up.local" and then save it.
Then "chmod a+x /etc/ppp/ip-up.local" to make it an executable script.
I put the following in the script:
sleep 15
/sbin/SuSEfirewall2 start
This tells ip-up to wait 15 seconds and then restart SuSEfirewall2.
That should resolve the issue. The problem isn't that SuSEfirewall2 was starting to late, it was starting to soon. The 15 second delay gives PPTPD enough time to establish the VPN connection on ppp0 before the firewall gets refreshed to allow the new VPN connection.
------------------------------------------------------------
Below was taking from another message board.
------------------------------------------------------------
My scenario:
Suse professional 9.2 on server [edoras] acting as firewall.
eth0 is external interface linked to an ADSL permanent connection with
public ip address
eth1 is internal interface to local 192.168.168.0 LAN
I want to use this firewall as poptop vpn server, using
pptpd (pptpd-1.1.2-587 - ppp-2.4.2-49) on ppp0
These my general VPN settings:
--- pptpd.conf:
...
option /etc/ppp/options.pptp
...
localip 192.168.167.250
remoteip 192.168.167.10-19
...
--- /etc/ppp/options.pptp
name pptpd
lock
debug
nobsdcomp
mtu 1450
mru 1450
proxyarp
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
auth
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 3
lcp-echo-interval 5
require-mppe-128
ms-wins 192.168.168.254
ms-dns 192.168.168.254
--- /etc/sysconfig/SuSEfirewall2
FW_DEV_EXT="eth-id-00:04:75:8c:96:b9"
FW_DEV_INT="eth-id-00:02:55:61:35:b2 ppp0"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="113 1723 1956 domain imap imaps pop3 pop3s smtp
ssh"
FW_SERVICES_EXT_UDP="123 domain"
FW_SERVICES_EXT_IP="gre icmp"
FW_SERVICES_EXT_RPC=""
FW_SERVICES_INT_TCP="143 443 ssh 53 smtp 1723"
FW_SERVICES_INT_UDP="143 53 smtp"
FW_SERVICES_INT_IP="gre icmp"
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="no"
FW_ANTISPOOF="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="int"
FW_IGNORE_FW_BROADCAST="no"
FW_ALLOW_CLASS_ROUTING="yes"
FW_CUSTOMRULES=""
FW_REJECT="no"
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING="yes"
FW_IPSEC_TRUST="no"
PROBLEM : the ppp0 connection as correcly established and
authenticated, but during the phase of configuring ppp0, the ip-up
scripts attempts to reload the firewall rules, and the vpn connection
fails saying "Error writing GRE packet: Operation not permitted". At
this point ppp0 is deactivated.
If I say to ip-up not to restart firewall2, vpn starts well, but
naturally the firewall does not permit traffic from ppp to go through.
--- /etc/ppp/ip-up :
.....
case "$BASENAME" in
ip-up)
add_nameservers
# ip_resend hook
test "$IP_RESEND" = "yes" -a -x /usr/sbin/ip_resend_wakeup &&
\
/usr/sbin/ip_resend_wakeup -m $LOCALIP -o $INTERFACE
start_firewall
.....
Starting a pptpd vpn client :
Jun 24 10:46:42 edoras pppd[739]: local IP address 192.168.167.250
Jun 24 10:46:42 edoras pppd[739]: remote IP address 192.168.167.10
Jun 24 10:46:42 edoras pppd[739]: Script /etc/ppp/ip-up started (pid
764)
Jun 24 10:46:43 edoras pptpd[738]: Error writing GRE packet: Operation
not permitted
Jun 24 10:46:43 edoras pptpd[738]: CTRL: GRE read or PTY write failed
(gre,pty)=(6,5)
Jun 24 10:46:43 edoras pptpd[738]: CTRL: Client 192.168.168.91 control
connection finished
Jun 24 10:46:43 edoras pptpd[738]: CTRL: Exiting now
Jun 24 10:46:43 edoras pppd[739]: Modem hangup
Jun 24 10:46:43 edoras pptpd[737]: MGR: Reaped child 738
Jun 24 10:46:43 edoras pppd[739]: Script /etc/ppp/auth-down started
(pid 884)
Jun 24 10:46:43 edoras pppd[739]: MPPE disabled
Jun 24 10:46:43 edoras pppd[739]: sent [LCP TermReq id=0x5 "MPPE
disabled"]
Jun 24 10:46:43 edoras pppd[739]: Connection terminated.
Jun 24 10:46:43 edoras pppd[739]: Connect time 0.1 minutes.
Jun 24 10:46:43 edoras pppd[739]: Sent 128 bytes, received 721 bytes.
Jun 24 10:46:44 edoras pppd[739]: Waiting for 2 child processes...
Jun 24 10:46:44 edoras pppd[739]: script /etc/ppp/auth-down, pid 884
Jun 24 10:46:44 edoras pppd[739]: script /etc/ppp/ip-up, pid 764
Jun 24 10:46:44 edoras pppd[739]: Script /etc/ppp/auth-down finished
(pid 884), status = 0x0
Jun 24 10:46:47 edoras ip-up: SuSEfirewall2: Firewall rules
successfully set from /etc/sysconfig/SuSEfirewall2
Jun 24 10:46:47 edoras SuSEfirewall2: Firewall rules successfully set
from /etc/sysconfig/SuSEfirewall2
Jun 24 10:46:47 edoras pppd[739]: Script /etc/ppp/ip-up finished (pid
764), status = 0x0
Jun 24 10:46:47 edoras pppd[739]: Script /etc/ppp/ip-down started (pid
1664)
At this poin ppp0 falls and my vpn client dies.
Commenting start_firewall in /etc/ppp/ip-up the pppd start well and
ppp0 is configured correctly, but the firewall is not aware of it, so
I cant'use the vpn connection due to firewall restrictions.
Jun 24 10:51:59 edoras pppd[2579]: local IP address 192.168.167.250
Jun 24 10:51:59 edoras pppd[2579]: remote IP address 192.168.167.10
Jun 24 10:51:59 edoras pppd[2579]: Script /etc/ppp/ip-up started (pid
2604)
Jun 24 10:51:59 edoras pppd[2579]: Script /etc/ppp/ip-up finished (pid
2604), status = 0x0
Jun 24 10:52:04 edoras ip-up: fetchmail: no mailservers have been
specified.
Jun 24 10:52:57 edoras pptpd[2578]: CTRL: Received PPTP Control
Message (type: 5)
Jun 24 10:52:57 edoras pptpd[2578]: CTRL: Made a ECHO RPLY packet
Jun 24 10:52:57 edoras pptpd[2578]: CTRL: I wrote 20 bytes to the
client.
Jun 24 10:52:57 edoras pptpd[2578]: CTRL: Sent packet to client
--- ifconfig -a
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.167.250 P-t-P:192.168.167.10
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1396 Metric:1
RX packets:38 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:4447 (4.3 Kb) TX bytes:128 (128.0 b)
|