VPN problem with pptp and gre

Reply
Highlighted
Not applicable

VPN problem with pptp and gre

Dear all,

   I use PAN500 replace linksys firewall. I have the problem with our client that use VPN client to dialup to internet VPN server device such as router. Our diagram looklike this.

Client(window XP, with MS VPN client)  --> PAN500 --> VPN server(router)

  I try to watch monitoring traffic. I found unusual traffic with detail : From port = 0 , NAT Source Port = 0 , To Port = 0, NAT Destination Port = 0 , Application = gre

  With my old firewall It is ok for this case.

Please help me.

Thanks

TU

Tags (1)
L5 Sessionator

Re: VPN problem with pptp and gre

PPTP uses TCP port 1723 to setup the tunnel and GRE for the actual tunnel traffic. The TCP side is rather straightforward. But GRE is not TCP nor UDP. It is in fact IP protocol 47 (TCP is IP protocol 6 and UDP is IP protocol 17). There is no ports for GRE. That is why you see zero for source/destination ports.

To allow such traffic you will need to allow applications 'pptp' and 'gre'. If you have NAT inbetween, then you will need to use static NAT to your PPTP server since there is no port to translate for GRE traffic. 

-Richard

Not applicable

Re: VPN problem with pptp and gre

Hi Rechard,

   Sorry for delay reply. These are policy on my PAN box.

NAT:

1. source zone= Inside(LAN), destination zone= Outside(internet) , source address = 192.168.x.0/24(IP of LAN subnet) , dest. address= any, service =any, source translation = dynamic-ip-and-port , translated address = y.y.y.y(IP of Outside interface) , Dest. translation = none.

Security:

1. source zone = outside , source address = public IP of VPN (pptp) servers, source user = any, dest. zone = outside , dest. address = y.y.y.y(IP of Outside interface), application = any, service = any , action = allow

2. source zone = inside, source address = 192.168.x.0/24(IP of LAN subnet), source user = any, dest. zone = outside , dest. address = any, application = any, service = any , action = allow

  The result after commit. I noticed that sometime client can connect pptp but sometime cann't. Any missing on this configuration.

Thanks you,

TU

L5 Sessionator

Re: VPN problem with pptp and gre

Your NAT rule is not a static NAT. Static NAT would be a 1-to-1 mapping of a public to a private IP without port translation. You have dynamic-ip-and-port which is many-to-1 with port translation. The problem I can foresee is that only one source IP may ever be able to use this NAT rule because there are no ports to translate for GRE. That may be why it sometimes works and sometimes not. You should configure 1-to-1 static NAT if you require multiple users to use PPTP with NAT.

-Richard

Not applicable

Re: VPN problem with pptp and gre

The NAT rule that I refered, I use this rule to NAT our client to Internet via public IP of internet internet. So I'm not sure that if I change this configure It will effect to client's internet traffic. Let's me show you the NAT rule that should be as follow

NAT:

1. source zone= Inside(LAN), destination zone= Outside(internet) , source address = 192.168.x.0/24(IP of LAN subnet) , dest. address= any, service =any, source translation = static IP , translated address = y.y.y.y(IP of Outside interface) , Bi-direction = yes , Dest. translation = none.

   Please correct this NAT rule. Any change please comment to me. For this NAT rule, It have any limitation for NAT traffic?

Thanks you

TU

Not applicable

Re: VPN problem with pptp and gre

Hi,

   For above rule, I cann't finish the commit. It told me with this error

"device: nat rule 'NAT_rule': Mismatch static-ip address range between original address and translated addressFailed to parse nat policyCommit failed"

   Could you please help me.

Thanks you

TU

L4 Transporter

Re: VPN problem with pptp and gre

TU,

You cannot use a subnet /24 to translate to one static IP. You will have to use a /32 address to translate to one static IP. That is why you are seeing that error.

Hope this helps.

Thanks

Not applicable

Re: VPN problem with pptp and gre

Hi marjdev,

   Thank for you reply.

    For my case, If my clients,more than 1 client, on LAN (192.168.0.0/24) to connect internet VPN server with PPTP connection at the same time. Because different client has different logon/password and they want to conect at the sametime.

------

(again)These are policy on my PAN box.

NAT:

1. source zone= Inside(LAN), destination zone= Outside(internet) , source address = 192.168.x.0/24(IP of LAN subnet) , dest. address= any, service =any, source translation = dynamic-ip-and-port , translated address = y.y.y.y(IP of Outside interface) , Dest. translation = none.

Security:

1. source zone = outside , source address = public IP of VPN (pptp) servers, source user = any, dest. zone = outside , dest. address = y.y.y.y(IP of Outside interface), application = any, service = any , action = allow

2. source zone = inside, source address = 192.168.x.0/24(IP of LAN subnet), source user = any, dest. zone = outside , dest. address = any, application = any, service = any , action = allow

-------

Source method is "dynamic-ip-and-port". Is it ok for my case? As I maintained sometime client can connect, someteim client cann't connect.

Please help me. Because my customer want to use this VPN.

Thanks you

TU

L4 Transporter

Re: VPN problem with pptp and gre

The side with the non-static will need to be the initiator for your dynamic environment. This would explain the intermittent success.

L5 Sessionator

Re: VPN problem with pptp and gre

Quote:"To allow such traffic you will need to allow applications 'pptp' and 'gre'. If you have NAT inbetween, then you will need to use static NAT to your PPTP server since there is no port to translate for GRE traffic. "

To resurrect old thread; has this issue been resolved in newer PAN-OS releases or is static NAT still required for outgoing GRE connections? As far as I know you can track some parameters in GRE packet to send it to the correct host and in this way GRE should be possible with dynamic NAT as well. Can someone please confirm this?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!