Jump to content


Photo

PPTP VPN problems

PPTP VPN GRE

  • Please log in to reply
4 replies to this topic

#1 Jaroslav Hnátík

Jaroslav Hnátík
  • Members
  • 10 posts

Posted 25 February 2015 - 07:58 AM

Hi.

 

I have another problem with Barracuda NG firewall.

At this moment, I need to configure PPTP VPN with authentication against AD or RADIUS. When I set up VPN with authentication against local db users, all work correctly.

When I change authentication to Active Directory, VPN stop works. On client side error 628 is reported. When I check pptp log, there are these records:

Time	Type	TZ	Message
2015 02 25 13:31:57	Info	+01:00	 CTRL: Client xx.xx.xx.xx control connection started
2015 02 25 13:31:57	Info	+01:00	 CTRL: Starting call (launching pppd, opening GRE)
2015 02 25 13:31:57	Notice	+01:00	 pppd 2.4.4 started by root, uid 0
2015 02 25 13:31:57	Info	+01:00	 Using interface ppp6171
2015 02 25 13:31:57	Notice	+01:00	 Connect: ppp6171 <--> /dev/pts/0
2015 02 25 13:31:57	Error	+01:00	 GRE: Bad checksum from pppd.
2015 02 25 13:31:58	Internal	+01:00	 CTRL: Reaping child PPP[6171]
2015 02 25 13:31:58	Notice	+01:00	 Modem hangup
2015 02 25 13:31:58	Notice	+01:00	 Connection terminated.
2015 02 25 13:31:58	Info	+01:00	 Exit.
2015 02 25 13:31:58	Info	+01:00	 CTRL: Client xx.xx.xx.xx control connection finished

Same situation when I configure LDAP authentication or RADIUS authentication. Same situation and same error.

 

BTW. I can not believe how bad documentation is available for Barracuda NG Firewall settings. On https://techlib.barracuda.com are some important information, but this cover about 1% of what we need.
For example,I cannot find informations, how set up reverse proxy for multiple domains. Only short note, but nothing precise. Same with toubleshoting.



#2 Matthias Maschler

Matthias Maschler
  • Barracuda Team Members
  • 106 posts
  • LocationInnsbruck

Posted 25 February 2015 - 12:37 PM

Hi Jaroslav,

 

I assume you followed these instructions: https://techlib.barr...oSiteConfigPPTP

If everything was setup correctly, your configuration should work out of the box with no further adjustment, also for MS-AD authentication. It seems that, except of AD auth, PPTP works correctly. The log entries you posted, may indicate a software bug.

However, please contact Barracuda Technical support to verify your configuration and to do further investigation on this issue.

 

Also, thank you for the feedback on our product documentation. If you are missing documentation on specific topics, feel free to contact me directly via Forum PM, email to documentation [at] barracuda.com or via the TechLibrary feedback form at the bottom of every TechLibrary article. As soon as we know what exactly you are looking for, we will add it to the TechLib.

 

Concerning Reverse Proxy. Have you seen the following How-To? https://techlib.barr...seProxyExchange

These step-by-step instructions explain how to set up the Reverse Proxy with Exchange as example. Not sure what your excact needs are, but this guide should cover all necessary steps. If not, please let us know.

This thread may also be interesting for you: https://community.ba...-reverse-proxy/

 

As always. Please feel free to contact Barracuda Networks Support. Our support guys can help you to solve your issues as quickly as possible. If you mentioned that you followed a specific TechLib article without success, we can incorporate your feeback in our documentation.

 

Again thak you for your feedback and looking forward to hearing from you.

 

Kind Regards,

Matthias



#3 Jaroslav Hnátík

Jaroslav Hnátík
  • Members
  • 10 posts

Posted 25 February 2015 - 01:36 PM

Thanks for fast reply.

PPTP works correctly until change Authentication provider. I think, that some steps are descibed perfectly, but there is many areas which are not covered by this guides. And for example in guide for PPTP, i misses information about host firewall rules required for VPN. In my first troubleshot attempt I think, that proble could be in outgoing rules, but phibstest correctly return authentication and groups. Because I am new in Barracuda usage, for me this requirements can be critical. I will send this problem to support.
BTW. With host firewall rules I have another trouble. I disable all host rules with TCP 443, firewall logs wrote no rule match, but forwarding rules with 443 and S1 IP adress are not applied. We have assigned more IP adresess, so I change DNS record to another IP, but I dont understand, where can be problem. In documentation si described, that host rule is used for combination for IP and port. And if not exist, forwarding rule is used. For TCP 80 and 25 all work. But this is another problem and I have workaround :)

About reverse proxy. I follow Exchange Guide and I have some cert issue https://community.ba...-reverse-proxy/

But what I mean with reverse proxy and multi domain. I need publish more subdomains on one IP. For example test1.domain.com and test2.domain.com. test1 is forwarded to internal IP1 and test2 to internal IP2. If I understand correctly, this i done by backend mapping. But it didint work for me. First maping work, second and another not. And here is the problem which I have with documentation. I didnt found actual document with for example field description. What I found is manual for FW 5.2, but in some situations, it is not actual.

And from my point of view, it would be nice for example guide to set up URL filtering base on app rules. (I found solution here on forum).

May be it can looks, that I didn,t like Barracuda. This is not true. It looks like as greate product. But for newbies it is not easy to start with this product :)
 



#4 Matthias Maschler

Matthias Maschler
  • Barracuda Team Members
  • 106 posts
  • LocationInnsbruck

Posted 26 February 2015 - 10:46 AM

Jaroslav,

 

if we are not covering specific steps in the guide, they should not be necessary for the configuration. Just like the host firewall rule/ruleset for VPN connection. The default host firewall ruleset works out of the box for VPN connections and for a majority of configurations.

 

Since you are new to the Barracuda NG Firewall, I suggest to have a look at the following article that descibes the differences between Host Firewall and Forwarding Firewall: https://techlib.barr...m/NG60/Firewall

In 90% of the standard deployments, the host firewall rules do not have to be changed.

 

You also mentioned that you only found the manual for 5.2. NG Firewall version 5.2 is quite an old version and we are not actively working on this documentation anymore. If possible, I recommend to update your unit at least NG Firewall 5.4 or 6.0. The latest documentation available is for 6.0
See here: https://techlib.barracuda.com/NG60. However, most topics covered in 6.0 docs may also work for 5.2 firmware version.

 

 

Back to the Reverse Proxy: 

The following screenshot shows a working configration as yours. One domain with two sub-domains pointing to two different backend servers. I can currently not post pictures inline pictures. Please see the link: https://copy.com/2ZIYJUuHEu8DkOLn

Again, thanks for your feedback. This is very important for us. Have fun with your NG Firewall and feel free to contact Tech Support at any time or post your questions here.

 

Regards,

Matthias



#5 Jaroslav Hnátík

Jaroslav Hnátík
  • Members
  • 10 posts

Posted 26 February 2015 - 01:29 PM

Hi.

 

Problem with PPTP is under investigation of support team. Reverse proxy is exactly as I configure. But i try it again, because I think, that it must work. :)