New Zealand ADSL Mailing List


Re: Almost OT but please help... (PPTP, Sonicwall, M1122, ADSL)

From: Brian Gibbons <brian_at_outersite.co.nz>
Date: Sat, 16 Aug 2003 04:46:16 +1200
Message-ID: <005401c3634c$bea67470$c964a8c0@pcx.local.lan>

>From: "Neil Gardner" <neil@neilnz.com>
>Hi there people, I have been experimenting with using
>a Sonicwall Tele3/10 connected to an M1122 in PPTP mode
>(to bring the Public IP to the Wan port of the Sonicwall)
>and all it basically going as expected...

>I can now though, NOT connect to a PPTP vpn that I previous could

You're right Neil, the theory says it should work - but remember you will
have some MTU issues and dropping the MTU on your client system to 1400-1450
would save some headaches.

As to not being able to establish the tunnel through the tunnel it smells of
"default deny rules" or subtle configuration problems.

I am not familiar with Sonicwall but here are some common causes:

Does the Sonicwall have a PPTP Application Layer Gateway (ALG) - this may be
getting confused - a single outgoing PPTP connection does not need an ALG so
perhaps try disabling it.

Is there some kind of "one strike you're out" feature in the Sonicwall.
(e.g. if it receives an unsolicited incoming packet that does not match
state, then it denies all packets from the source IP for a period of time).
In the case of PPTP the first outgoing GRE packet will create NAT state that
is also used for incoming GRE from the server. The first server GRE packet
often arrives before the first outgoing packet, and will get dumped, this
may trigger the firewall to dump any further incoming GRE packets (for a
single user, a GRE forwarding rule can eliminate this).

The "out of the box" configuration of the Sonicwall may support PPTP
pass-through but when you add the PPTP tunnel to the M1122 you are adding
another interface to the firewall, it now has three interfaces e.g.
[Inner],[Outer] and [PPTP0]. You may have to specifically configure the
[PPTP0] Interface to allow certain features (like PPTP pass through), for
example the PPTP ALG may not be bound to the [PPTP0] Interface and this
could be the source of the funny ICMP message.

Perhaps look for an "out of the box" Sonicwall config for connecting via a
Speedtouch Home, this may reveal some clues.

Hope that helps

BG. 

-- 
This message is part of the NZ ADSL mailing list. 
see http://unixathome.org/adsl/ for archives, FAQ, 
and various documents. 
To unsubscribe: send mail to majordomo@lists.unixathome.org 
with "unsubscribe adsl" in the body of the message
Received on Sat Aug 16 04:46:39 2003

This archive was generated by hypermail 2.2.0 : Thu Nov 30 11:48:26 2006 EST