[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

protocol 47 unreachable



Title: protocol 47 unreachable

Upgrade from openBSD 2.9 to 3.0. Can no longer VPN to a PPTP server. This worked like a charm with openBSD 2.9.

PARTIAL RULES SET pf.conf:

# REDIRECTIONS...
 rdr on we0 proto tcp from any to 142.179.147.0/24 port  1723 -> \
        192.168.5.200 port 1723
        n.b: without the rdr statement I get a "Server not responding", so I believe (maybe incorrectly) that it is requried.

# PPTP
 pass  in quick on we0 inet proto tcp from any to any port 1723 keep state
 pass out quick on we0 inet proto tcp from any to any port 1723 keep state
 pass  in quick on we0 inet proto gre from any to any keep state
 pass out quick on we0 inet proto gre from any to any keep state

PARTIAL tcpdump FOLLOWS:

wst-fw1# tcpdump -i we0 -n
tcpdump: listening on we0
12:17:19.060440 142.179.147.65.22 > 68.144.16.250.52793: P 3116315611:3116315655(44) ack 4030554368 win 65535 (DF) [tos 0x10]

12:17:19.099079 142.179.147.65.65096 > 207.46.108.39.1863: P 505809374:505809480(106) ack 420140931 win 63618 (DF)
12:17:19.129951 68.144.16.250.52793 > 142.179.147.65.22: . ack 44 win 64156 (DF) [tos 0x28]
12:17:19.163230 207.46.108.39.1863 > 142.179.147.65.65096: . ack 106 win 17050 [tos 0x28]
12:17:20.044690 142.179.147.65.22 > 68.144.16.250.52793: P 44:400(356) ack 1 win 65535 (DF) [tos 0x10]
12:17:20.052084 68.144.16.250.63315 > 142.179.147.65.1723: S 3700078406:3700078406(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x28]

12:17:20.052725 142.179.147.65.1723 > 68.144.16.250.63315: S 4048490238:4048490238(0) ack 3700078407 win 64240 <mss 1460,nop,nop,sackOK> (DF)

12:17:20.060461 142.179.147.65.22 > 68.144.16.250.52793: P 400:508(108) ack 1 win 65535 (DF) [tos 0x10]
12:17:20.092237 68.144.16.250.63315 > 142.179.147.65.1723: . ack 1 win 64240 (DF) [tos 0x28]
12:17:20.095358 68.144.16.250.63315 > 142.179.147.65.1723: P 1:157(156) ack 1 win 64240 (DF) [tos 0x28]
12:17:20.095772 142.179.147.65.1723 > 68.144.16.250.63315: P 1:157(156) ack 157 win 64084 (DF)
12:17:20.098113 68.144.16.250.52793 > 142.179.147.65.22: . ack 508 win 63692 (DF) [tos 0x28]
12:17:20.125922 68.144.16.250.63315 > 142.179.147.65.1723: P 157:325(168) ack 157 win 64084 (DF) [tos 0x28]
12:17:20.126976 142.179.147.65.1723 > 68.144.16.250.63315: P 157:189(32) ack 325 win 63916 (DF)
12:17:20.160999 68.144.16.250.63315 > 142.179.147.65.1723: P 325:349(24) ack 189 win 64052 (DF) [tos 0x28]
12:17:20.169846 kpunset!  (gre encap)
12:17:20.170115 142.179.147.65 > 68.144.16.250: icmp: 142.179.147.65 protocol 47 unreachable
12:17:20.271195 142.179.147.65.1723 > 68.144.16.250.63315: . ack 349 win 63892 (DF)

My problem is that the second line from the bottom says "protocol 47 unreachable".

IN sysctl.conf I have:
net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of packets
net.inet.gre.allow=1              # 1=Permit GRE Frames

Interestingly enough, I can VPN through a openBSD 2.9 box, but not to another 3.2 box. In addition, a client on the 2.9 side cannot VPN into the 3.2 box, but can into a 2.9 box...

I'm quite confused by this. Does anyone have any ideas - PLEASE???

Thanks

Richard