Passing pptp through IPFire

I’m having trouble connecting to a pptp vpn. When I connect my other networks (not protected by IPFire), I can connect to the pptp endpoint but I can’t connect to the same VPN passing through IPFire.

What am I missing?

Logs or other information that helps someone to get to the bottom of it.

IPFire has a PPTP ALG which you can disable on the firewall options page. It should not cause any problems, but it might be worth a try.

Thank you. I completely forgot about the application level gateways. The PPTP one was turned off. After flipping the switch and rebooting, it works just fine. FWIW, there are no traces in the messages log file giving any indication to look for an ALG. I would still be hunting and cursing if it had been for your help.

Suggestion: all of those firewall options were invisible. I would either add a submenu to firewall options or explicitly list those options in the firewall drop-down to make them discoverable.

Where? They are all listed on a big page. How are they invisible?

Sorry. I wasn’t clear enough.

Back in the day when I was more heavily involved in HCI work, I learned from the researchers that people use the menus to discover what they need to do. This is one of the contexts where popout submenus work better than dialog boxes with tabs.

In the firewall options menu item, the addition of a popout submenu listing major categories on that page would help user navigation. Another possible UI mechanism could be a pop-up tooltip that explains what is found under that menu item.

Does that make sense?

Yes it does. The UI of the firewall isn’t the best, but it works, which is most important.

Hi everyone,
What about this Topic with Core update 155 ?
I tried several rules that NAT GRE protocol and TCP 1723 In and Out but i canno’t find a way to make the PPTP VPN Pass throught without the ALG PPTP in Core 155.
So i had to temporarly revert to Core 154 with ALG PPTP.
Thanks for your help.

1 Like

same here. I have a site that still uses pptp and with 155 I can’t connect anymore even there is a Port 1723 and a GRE Fw rule…

Any help would be appreciated!

Cheers
Uwe

…yes, it’s probably time to switch to sstp. Already ordered a SSL Certificate…

This is everybody’s chance to stop using PPTP. It has been insecure for a VERY long time now, and it really should have been replaced a long time ago. IKEv2 is likely your best bet, using IPFire and the built-in clients in Windows, Mac, Android, and iOS.

1 Like

Hi Tom

I switched the site to sstp almost two weeks ago, so the clients don’t need to be changed that much and still use AD authentication.

The question was more to get a “quick” workaround before the new service/certificates was in place and before I could change the clients.

And to gain the understanding why the ALG is necessary at all, I always thought that creating two firewall rules for GRE and port 1723 is all that needs to be done…
Could you explain that to me?

Cheers
Uwe

@power-valve: Port forwards are fine if only one machine behind the firewall is to receive all of the traffic (or at least all of the traffic matching the rule you create). However, if you intend to have multiple different devices, then an ALG would make more sense, though recent security concerns mean that you should use caution with ALGs, and I think they will be removed from IPFire.

Generally, an ALG would make sense if you have clients behind the firewall, whereas firewall rules would make sense if you have a server behind the firewall.

Check out the IPFire Wiki for IPSec Roadwarriors using MacOS and Windows. People are intimidated by IPSec for some reason, but it’s really not that challenging, unless you have a more complicated setup. There’s a learning curve, but it’s not insurmountable.

Hi Tom

It was just about a pptp server sitting behind an IPFire. The clients didn’t use IPFire, they haven’t changed.

So just a single port forwarding.

That’s why i am curious why it didn’t work anymore.

Cheers
Uwe



From: no-reply@community.ipfire.org
Sent: April 16, 2021 00:31
To: Uwe@Prions.de
Reply-to: replies+58e36a91ce5f4aee221fc3bd1faa345e@community.ipfire.org
Subject: [IPFire Community] [Virtual Private Networks] Passing pptp through IPFire

|

  • |

| Tom Rymes trymes
15 April |

  • | - |

@power-valve: Port forwards are fine if only one machine behind the firewall is to receive all of the traffic (or at least all of the traffic matching the rule you create). However, if you intend to have multiple different devices, then an ALG would make more sense, though recent security concerns mean that you should use caution with ALGs, and I think they will be removed from IPFire.

Generally, an ALG would make sense if you have clients behind the firewall, whereas firewall rules would make sense if you have a server behind the firewall.

Check out the IPFire Wiki for IPSec Roadwarriors using MacOS and Windows. People are intimidated by IPSec for some reason, but it’s really not that challenging, unless you have a more complicated setup. There’s a learning curve, but it’s not insurmountable.

this all sucks… users are unhappy with latest changes…!!!

NO MS VPN can be made anymore… the Application Layer Gateways options are missing - causing no more simple vpn is possible - what the biggest problem is - ipfire is unable to accept firewall rules about port 47 (or GRE protocol) - it shows DROP_INPUT on this port

and the IKEv2 and IPSEC - that is another level - no one windows I have tested is capable to create vpn with ipsec… shame for this !

if somebody has working config please report here… thank You.

p.s. And the WIKI is outdated like the egyptian pyramides… such options mentioned in wiki are not more implemented… please - correct wiki on working config so the ms (windows) vpn is again available !!! please !!!

It’s not that bad. SSTP is a safe and universal MS VPN Protocol and easy to setup. And just needs port 443 forwarded to a RRAS Server…

Cheers
Uwe



From: no-reply@community.ipfire.org
Sent: April 30, 2021 15:22
To: Uwe@Prions.de
Reply-to: replies+72467391c23bd6e6f034036c32c03c2c@community.ipfire.org
Subject: [IPFire Community] [Virtual Private Networks] Passing pptp through IPFire

|

  • |

| Robert UHRIK
30 April |

  • | - |

this all sucks… users are unhappy with latest changes…!!!

NO MS VPN can be made anymore… the Application Layer Gateways options are missing - causing no more simple vpn is possible - what the biggest problem is - ipfire is unable to accept firewall rules about port 47 (or GRE protocol) - it shows DROP_INPUT on this port

and the IKEv2 and IPSEC - that is another level - no one windows I have tested is capable to create vpn with ipsec… shame for this !

if somebody has working config please report here… thank You.

p.s. And the WIKI is outdated like the egyptian pyramides… such options mentioned in wiki are not more implemented… please - correct wiki on working config so the ms (windows) vpn is again available !!! please !!!

Windows 10 IPSec is straightforward, and the wiki should get you what you need. I’ll work to update it in the future, but you need to make sure that your certificates meet the requirements, set up the tunnel, and then add the tunnel to Windows.

These commands in Powershell make adding the tunnel simpler:

Add-VpnConnection -name "My VPN" -ServerAddress "server.domain.dom" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required

Set-VpnConnectionIPsecConfiguration -ConnectionName "My VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup PFS2048  -Force

Obviously, you need to change the connection name and the server name.

You can uncheck the box in the IPSec Advanced configuration page for “IKE+ESP: Use only proposed settings.” while testing. If it works with that unchecked, you have the wrong ciphers selected. Leaving it unchecked is a bad idea, as the server will accept any cipher selection, including weak ones.

You can also run an older version of IPFire, but doing so is a security risk because of the ALGs.

Lastly, help us help you. If you run into an issue with the directions in the wiki, instead of making snarky comments about how old they are, tell us what you tried, what worked, and what went wrong. We can’t help if we don’t know what problems you’re having.

4 Likes

I have been think of writting an small IPfire Windows10 IPSec step-by-step guide for dummies based on my own notes. One thing I realized after going IPsec is that most of us will start with a unsafe configuration. It’s crucial to provide a clear safe path for those getting started with IPsec.
I have only windows clients on IPSEC IKEv2.

1 Like

@tuga: that would be excellent. Use the existing tutorials in the wiki as a starting point, and don’t forget to include the important steps needed for Mac/iOS compatibility when generating the main certificates.

Powershell in Windows10 would be an important piece, too, as it’s the only way you can enable strong authentication.

I’d be happy to review what you come up with.

yes @tuga please, write it and publish it asap. please please. :slight_smile: and if possible - edit the original wiki article - that is so brief so nobody can create working ipsec ikev2 connection with that without further investigating and reading tons of forum articles… and a lot of trials and errors… :wink: been waiting for Your guide…