Instance external VPN cant connect PPTP GRE

Bug #1797100 reported by Manuel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Packstack
New
Undecided
Unassigned

Bug Description

How to reproduce:

- Create a tenant with a Windows or Linux instance. ( We use VXLAN )
- Deploy VPN Server like Microsoft RRAS or PPTPD in linux.
- Assign flotating IP to your instance.
- Disable port security at port level for your instance to allow bypass all traffic. (This will remove all your security groups by default)
- Go to Windows, create a VPN adapter and try to connect to your VPN Server.

Result : Error 800 ( Cant establish )

After more than 48 hours checking the issue we found that in the deployment at Network node is missing the next Kernel Modules that cause drops:

nf_conntrack_proto_gre
ip_conntrack_pptp
ip_nat_pptp

For check if modules are enable in your installation:

lsmod | grep nf_conntrack_proto_gre
lsmod | grep nf_conntrack_pptp
lsmod | grep nf_nat_pptp

If not enable, enable temporally in your network node with the following commands:
modprobe nf_conntrack_proto_gre
modprobe ip_conntrack_pptp
modprobe ip_nat_pptp

Also you must check that your IPtables allow input protocol 47 ( GRE) , use iptables -S INPUT
If not allowed you must do it before default reject rule:
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

Important note the load of modules will be cleaned in the next reboot you must setup on boot for load modules.

Once this fix is applyed from your computer you will be able to establish a PPTPD with GRE protocol tunnel that allow you to connect from your local computer to instance network.

Revision history for this message
Alfredo Moralejo (amoralej) wrote :

Hi,

Did you try only applying the iptables rules you described:

iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

but without enabling the kernel modules?

Best regards,

Alfredo

Revision history for this message
Manuel (mriosfer) wrote :

Hi,

Yes we other two thing before:

- Add as special security group that allow Protocol 47 (GRE) for in/out.

Result: Not running.

Just found another bugtruck from Fuel 7.0 with same issue:

https://bugs.launchpad.net/fuel/+bug/1474210

Revision history for this message
Alfredo Moralejo (amoralej) wrote :

Hi,

If i undertand right, to get that working you had to:

- Add the iptables rules.
- enable the mentioned kernel modules (did you try without this?).
- Add security group for protocol 47 in the user's tenant.

Is this correct?

Note that packstack will not take care of the security group part.

Best regards,

Alfredo

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.