topic Re: VPN problem with pptp and gre in General Topics

VPN problem with pptp and gre

systemadmin_tu — Sat, 03 Sep 2011 04:22:15 GMT

Dear all,

I use PAN500 replace linksys firewall. I have the problem with our client that use VPN client to dialup to internet VPN server device such as router. Our diagram looklike this.

Client(window XP, with MS VPN client) --> PAN500 --> VPN server(router)

I try to watch monitoring traffic. I found unusual traffic with detail : From port = 0 , NAT Source Port = 0 , To Port = 0, NAT Destination Port = 0 , Application = gre

With my old firewall It is ok for this case.

Please help me.

Thanks

Re: VPN problem with pptp and gre

Retired Member — Sun, 04 Sep 2011 05:24:56 GMT

PPTP uses TCP port 1723 to setup the tunnel and GRE for the actual tunnel traffic. The TCP side is rather straightforward. But GRE is not TCP nor UDP. It is in fact IP protocol 47 (TCP is IP protocol 6 and UDP is IP protocol 17). There is no ports for GRE. That is why you see zero for source/destination ports.

To allow such traffic you will need to allow applications 'pptp' and 'gre'. If you have NAT inbetween, then you will need to use static NAT to your PPTP server since there is no port to translate for GRE traffic.

-Richard

Re: VPN problem with pptp and gre

systemadmin_tu — Thu, 08 Sep 2011 08:15:49 GMT

Hi Rechard,

Sorry for delay reply. These are policy on my PAN box.

NAT:

1. source zone= Inside(LAN), destination zone= Outside(internet) , source address = 192.168.x.0/24(IP of LAN subnet) , dest. address= any, service =any, source translation = dynamic-ip-and-port , translated address = y.y.y.y(IP of Outside interface) , Dest. translation = none.

Security:

1. source zone = outside , source address = public IP of VPN (pptp) servers, source user = any, dest. zone = outside , dest. address = y.y.y.y(IP of Outside interface), application = any, service = any , action = allow

2. source zone = inside, source address = 192.168.x.0/24(IP of LAN subnet), source user = any, dest. zone = outside , dest. address = any, application = any, service = any , action = allow

The result after commit. I noticed that sometime client can connect pptp but sometime cann't. Any missing on this configuration.

Thanks you,

Re: VPN problem with pptp and gre

Retired Member — Sat, 10 Sep 2011 17:42:58 GMT

Your NAT rule is not a static NAT. Static NAT would be a 1-to-1 mapping of a public to a private IP without port translation. You have dynamic-ip-and-port which is many-to-1 with port translation. The problem I can foresee is that only one source IP may ever be able to use this NAT rule because there are no ports to translate for GRE. That may be why it sometimes works and sometimes not. You should configure 1-to-1 static NAT if you require multiple users to use PPTP with NAT.

-Richard

Re: VPN problem with pptp and gre

systemadmin_tu — Sun, 11 Sep 2011 15:25:57 GMT

The NAT rule that I refered, I use this rule to NAT our client to Internet via public IP of internet internet. So I'm not sure that if I change this configure It will effect to client's internet traffic. Let's me show you the NAT rule that should be as follow

NAT:

1. source zone= Inside(LAN), destination zone= Outside(internet) , source address = 192.168.x.0/24(IP of LAN subnet) , dest. address= any, service =any, source translation = static IP , translated address = y.y.y.y(IP of Outside interface) , Bi-direction = yes , Dest. translation = none.

Please correct this NAT rule. Any change please comment to me. For this NAT rule, It have any limitation for NAT traffic?

Thanks you

Re: VPN problem with pptp and gre

systemadmin_tu — Tue, 13 Sep 2011 13:53:28 GMT

Hi,

For above rule, I cann't finish the commit. It told me with this error

"device: nat rule 'NAT_rule': Mismatch static-ip address range between original address and translated addressFailed to parse nat policyCommit failed"

Could you please help me.

Thanks you

Re: VPN problem with pptp and gre

mrajdev — Tue, 13 Sep 2011 14:25:18 GMT

TU,

You cannot use a subnet /24 to translate to one static IP. You will have to use a /32 address to translate to one static IP. That is why you are seeing that error.

Hope this helps.

Thanks

Re: VPN problem with pptp and gre

systemadmin_tu — Tue, 13 Sep 2011 14:56:00 GMT

Hi marjdev,

Thank for you reply.

For my case, If my clients,more than 1 client, on LAN (192.168.0.0/24) to connect internet VPN server with PPTP connection at the same time. Because different client has different logon/password and they want to conect at the sametime.

------

(again)These are policy on my PAN box.

NAT:

Security:

2. source zone = inside, source address = 192.168.x.0/24(IP of LAN subnet), source user = any, dest. zone = outside , dest. address = any, application = any, service = any , action = allow

-------

Source method is "dynamic-ip-and-port". Is it ok for my case? As I maintained sometime client can connect, someteim client cann't connect.

Please help me. Because my customer want to use this VPN.

Thanks you

Re: VPN problem with pptp and gre

pkruse — Tue, 13 Sep 2011 19:19:33 GMT

The side with the non-static will need to be the initiator for your dynamic environment. This would explain the intermittent success.

Re: VPN problem with pptp and gre

santonic — Thu, 21 Nov 2013 14:25:39 GMT

Quote:"To allow such traffic you will need to allow applications 'pptp' and 'gre'. If you have NAT inbetween, then you will need to use static NAT to your PPTP server since there is no port to translate for GRE traffic. "

To resurrect old thread; has this issue been resolved in newer PAN-OS releases or is static NAT still required for outgoing GRE connections? As far as I know you can track some parameters in GRE packet to send it to the correct host and in this way GRE should be possible with dynamic NAT as well. Can someone please confirm this?

Re: VPN problem with pptp and gre

mvidic — Mon, 11 Sep 2017 12:53:57 GMT

Hi @santonic, it seems that this remains an issue:)

Re: VPN problem with pptp and gre

santonic — Tue, 12 Sep 2017 11:45:17 GMT

Hey @mvidic maybe we should start a feature request?:)