Im dumped traffic from second destination PPTP server, when Machine A connected
to Machine C in 2nd scheme.
So, Machine A with public IP 2.2.2.2 and destination PPTP server (Machine C)
with public IP 5.5.5.5:
IP (tos 0x0, ttl 61, id 15901, offset 0, flags [DF], proto TCP (6), length 60)
2.2.2.2.60970 > 5.5.5.5.1723: Flags [S], cksum 0x846f (correct), seq
624269079, win 29200, options [mss 1460,sackOK,TS val 58829066 ecr 0,nop,wscale
9], length 0
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
5.5.5.5.1723 > 2.2.2.2.60970: Flags [S.], cksum 0xf3ee (incorrect -> 0x0557),
seq 3467249808, ack 624269080, win 14480, options [mss 1460,sackOK,TS val
2158911651 ecr 58829066,nop,wscale 4], length 0
IP (tos 0x0, ttl 61, id 15902, offset 0, flags [DF], proto TCP (6), length 52)
2.2.2.2.60970 > 5.5.5.5.1723: Flags [.], cksum 0x6c76 (correct), seq 1, ack
1, win 58, options [nop,nop,TS val 58829066 ecr 2158911651], length 0
IP (tos 0x0, ttl 61, id 15903, offset 0, flags [DF], proto TCP (6), length 208)
2.2.2.2.60970 > 5.5.5.5.1723: Flags [P.], cksum 0x3649 (correct), seq 1:157,
ack 1, win 58, options [nop,nop,TS val 58829066 ecr 2158911651], length 156:
pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRQ
PROTO_VER(1.0) FRAME_CAP(AS) BEARER_CAP(DA) MAX_CHAN(65535) FIRM_REV(1)
HOSTNAME(local) VENDOR(cananian)
IP (tos 0x0, ttl 64, id 26674, offset 0, flags [DF], proto TCP (6), length 52)
5.5.5.5.1723 > 2.2.2.2.60970: Flags [.], cksum 0xf3e6 (incorrect -> 0x6847),
seq 1, ack 157, win 972, options [nop,nop,TS val 2158911652 ecr 58829066],
length 0
IP (tos 0x0, ttl 64, id 26675, offset 0, flags [DF], proto TCP (6), length 208)
5.5.5.5.1723 > 2.2.2.2.60970: Flags [P.], cksum 0xf482 (incorrect ->
0x7fd9), seq 1:157, ack 157, win 972, options [nop,nop,TS val 2158911652 ecr
58829066], length 156: pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d
CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1:Successful channel
establishment) ERR_CODE(0:None) FRAME_CAP() BEARER_CAP() MAX_CHAN(1)
FIRM_REV(1) HOSTNAME(local) VENDOR(linux)
IP (tos 0x0, ttl 61, id 15904, offset 0, flags [DF], proto TCP (6), length 52)
2.2.2.2.60970 > 5.5.5.5.1723: Flags [.], cksum 0x6b3a (correct), seq 157, ack
157, win 60, options [nop,nop,TS val 58829067 ecr 2158911652], length 0
IP (tos 0x0, ttl 61, id 15905, offset 0, flags [DF], proto TCP (6), length 220)
2.2.2.2.60970 > 5.5.5.5.1723: Flags [P.], cksum 0x727d (correct), seq
157:325, ack 157, win 60, options [nop,nop,TS val 58829166 ecr 2158911652],
length 168: pptp Length=168 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRQ
CALL_ID(0) CALL_SER_NUM(0) MIN_BPS(2400) MAX_BPS(10000000) BEARER_TYPE(Any)
FRAME_TYPE(E) RECV_WIN(3) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR()
IP (tos 0x0, ttl 64, id 26676, offset 0, flags [DF], proto TCP (6), length 84)
5.5.5.5.1723 > 2.2.2.2.60970: Flags [P.], cksum 0xf406 (incorrect -> 0x538f),
seq 157:189, ack 325, win 1039, options [nop,nop,TS val 2158912652 ecr
58829166], length 32: pptp Length=32 CTRL-MSG Magic-Cookie=1a2b3c4d
CTRL_MSGTYPE=OCRP CALL_ID(8192) PEER_CALL_ID(0) RESULT_CODE(1:Connected)
ERR_CODE(0:None) CAUSE_CODE(0) CONN_SPEED(10000000) RECV_WIN(3) PROC_DELAY(0)
PHY_CHAN_ID(0)
IP (tos 0x0, ttl 61, id 15906, offset 0, flags [DF], proto TCP (6), length 52)
2.2.2.2.60970 > 5.5.5.5.1723: Flags [.], cksum 0x6626 (correct), seq 325, ack
189, win 60, options [nop,nop,TS val 58829167 ecr 2158912652], length 0
IP (tos 0x0, ttl 61, id 29340, offset 0, flags [DF], proto GRE (47), length 56)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, sequence# present], call 8192,
seq 1, length 36
LCP, Conf-Request (0x01), id 1, length 22
encoded length 20 (=Option(s) length 16)
0x0000: c021 0101 0014
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Magic-Num Option (0x05), length 6: 0xc3210995
0x0000: c321 0995
PFC Option (0x07), length 2:
ACFC Option (0x08), length 2:
IP (tos 0x0, ttl 64, id 25740, offset 0, flags [DF], proto GRE (47), length 61)
5.5.5.5 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call 0,
seq 0, length 41
LCP, Conf-Request (0x01), id 1, length 27
encoded length 25 (=Option(s) length 21)
0x0000: c021 0101 0019
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Auth-Prot Option (0x03), length 5: CHAP, MS-CHAPv2
0x0000: c223 81
Magic-Num Option (0x05), length 6: 0xfba46923
0x0000: fba4 6923
PFC Option (0x07), length 2:
ACFC Option (0x08), length 2:
IP (tos 0x0, ttl 61, id 29341, offset 0, flags [DF], proto GRE (47), length 61)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, sequence# present], call 8192,
seq 2, length 41
LCP, Conf-Ack (0x02), id 1, length 27
encoded length 25 (=Option(s) length 21)
0x0000: c021 0201 0019
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Auth-Prot Option (0x03), length 5: CHAP, MS-CHAPv2
0x0000: c223 81
Magic-Num Option (0x05), length 6: 0xfba46923
0x0000: fba4 6923
PFC Option (0x07), length 2:
ACFC Option (0x08), length 2:
IP (tos 0x0, ttl 61, id 29427, offset 0, flags [DF], proto GRE (47), length 56)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, sequence# present], call 8192,
seq 3, length 36
LCP, Conf-Request (0x01), id 1, length 22
encoded length 20 (=Option(s) length 16)
0x0000: c021 0101 0014
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Magic-Num Option (0x05), length 6: 0xc3210995
0x0000: c321 0995
PFC Option (0x07), length 2:
ACFC Option (0x08), length 2:
IP (tos 0x0, ttl 64, id 25741, offset 0, flags [DF], proto GRE (47), length 60)
5.5.5.5 > 2.2.2.2: GREv1, Flags [key present, sequence# present, ack
present], call 0, seq 1, ack 3, length 40
LCP, Conf-Ack (0x02), id 1, length 22
encoded length 20 (=Option(s) length 16)
0x0000: c021 0201 0014
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Magic-Num Option (0x05), length 6: 0xc3210995
0x0000: c321 0995
PFC Option (0x07), length 2:
ACFC Option (0x08), length 2:
IP (tos 0x0, ttl 64, id 25742, offset 0, flags [DF], proto GRE (47), length 42)
5.5.5.5 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call 0,
seq 2, length 22
LCP, Echo-Request (0x09), id 0, length 10
encoded length 8 (=Option(s) length 4)
0x0000: c021 0900 0008
Magic-Num 0xfba46923
IP (tos 0x0, ttl 64, id 25743, offset 0, flags [DF], proto GRE (47), length 60)
5.5.5.5 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call 0,
seq 3, length 40
CHAP, Challenge (0x01), id 106, Value 09812a4b926408bfd566a7af1f6c9cf7,
Name pptpd
IP (tos 0x0, ttl 64, id 25744, offset 0, flags [DF], proto GRE (47), length 61)
5.5.5.5 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call 0,
seq 4, length 41
LCP, Conf-Request (0x01), id 2, length 27
encoded length 25 (=Option(s) length 21)
0x0000: c021 0102 0019
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Auth-Prot Option (0x03), length 5: CHAP, MS-CHAPv2
0x0000: c223 81
Magic-Num Option (0x05), length 6: 0x2d75781c
0x0000: 2d75 781c
PFC Option (0x07), length 2:
ACFC Option (0x08), length 2:
IP (tos 0x0, ttl 64, id 25745, offset 0, flags [DF], proto GRE (47), length 56)
5.5.5.5 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call 0,
seq 5, length 36
LCP, Conf-Ack (0x02), id 1, length 22
encoded length 20 (=Option(s) length 16)
0x0000: c021 0201 0014
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Magic-Num Option (0x05), length 6: 0xc3210995
0x0000: c321 0995
PFC Option (0x07), length 2:
ACFC Option (0x08), length 2:
IP (tos 0x0, ttl 61, id 29428, offset 0, flags [DF], proto GRE (47), length 32)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, ack present], call 8192, ack
5, no-payload, length 12
IP (tos 0x0, ttl 61, id 29429, offset 0, flags [DF], proto GRE (47), length 42)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, sequence# present], call 8192,
seq 4, length 22
LCP, Echo-Reply (0x0a), id 0, length 10
encoded length 8 (=Option(s) length 4)
0x0000: c021 0a00 0008
Magic-Num 0xc3210995
IP (tos 0x0, ttl 61, id 29430, offset 0, flags [DF], proto GRE (47), length 94)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, sequence# present], call 8192,
seq 5, length 74
CHAP, Response (0x02), id 106, Value
160c653a9325bb25f2a7372142994baf0000000000000000b152d38e185eda2574be1ccd5d1405a42824580800604c6400,
Name initfs
IP (tos 0x0, ttl 61, id 29431, offset 0, flags [DF], proto GRE (47), length 56)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, sequence# present], call 8192,
seq 6, length 36
LCP, Conf-Request (0x01), id 2, length 22
encoded length 20 (=Option(s) length 16)
0x0000: c021 0102 0014
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Magic-Num Option (0x05), length 6: 0xc49d7115
0x0000: c49d 7115
PFC Option (0x07), length 2:
ACFC Option (0x08), length 2:
IP (tos 0x0, ttl 61, id 29432, offset 0, flags [DF], proto GRE (47), length 61)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, sequence# present], call 8192,
seq 7, length 41
LCP, Conf-Ack (0x02), id 2, length 27
encoded length 25 (=Option(s) length 21)
0x0000: c021 0202 0019
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Auth-Prot Option (0x03), length 5: CHAP, MS-CHAPv2
0x0000: c223 81
Magic-Num Option (0x05), length 6: 0x2d75781c
0x0000: 2d75 781c
PFC Option (0x07), length 2:
ACFC Option (0x08), length 2:
IP (tos 0x0, ttl 64, id 25746, offset 0, flags [DF], proto GRE (47), length 60)
5.5.5.5 > 2.2.2.2: GREv1, Flags [key present, sequence# present, ack
present], call 0, seq 6, ack 7, length 40
LCP, Conf-Ack (0x02), id 2, length 22
encoded length 20 (=Option(s) length 16)
0x0000: c021 0202 0014
ACCM Option (0x02), length 6: 0x00000000
0x0000: 0000 0000
Magic-Num Option (0x05), length 6: 0xc49d7115
0x0000: c49d 7115
PFC Option (0x07), length 2:
ACFC Option (0x08), length 2:
IP (tos 0x0, ttl 64, id 25747, offset 0, flags [DF], proto GRE (47), length 42)
5.5.5.5 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call 0,
seq 7, length 22
LCP, Echo-Request (0x09), id 0, length 10
encoded length 8 (=Option(s) length 4)
0x0000: c021 0900 0008
Magic-Num 0x2d75781c
IP (tos 0x0, ttl 64, id 25748, offset 0, flags [DF], proto GRE (47), length 60)
5.5.5.5 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call 0,
seq 8, length 40
CHAP, Challenge (0x01), id 195, Value c57858dbd870f3f6d23301e025dacb4b,
Name pptpd
IP (tos 0x0, ttl 61, id 29433, offset 0, flags [DF], proto GRE (47), length 32)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, ack present], call 8192, ack
8, no-payload, length 12
IP (tos 0x0, ttl 61, id 29434, offset 0, flags [DF], proto GRE (47), length 42)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, sequence# present], call 8192,
seq 8, length 22
LCP, Echo-Reply (0x0a), id 0, length 10
encoded length 8 (=Option(s) length 4)
0x0000: c021 0a00 0008
Magic-Num 0xc49d7115
IP (tos 0x0, ttl 61, id 29435, offset 0, flags [DF], proto GRE (47), length 94)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, sequence# present], call 8192,
seq 9, length 74
CHAP, Response (0x02), id 195, Value
3df7c71da404e48b6b0bc7effd1ae4c50000000000000000dd34a30499d0533e8ae0aac85b105375fcddaadb6a0c9a9a00,
Name initfs
IP (tos 0x0, ttl 64, id 25749, offset 0, flags [DF], proto GRE (47), length
101) 5.5.5.5 > 2.2.2.2: GREv1, Flags [key present, sequence# present, ack
present], call 0, seq 9, ack 9, length 81
CHAP, Success (0x03), id 195, Msg
S=2BCDB32DB1FBDB8CAC65E3AACD244C07941175C2 M=Access granted
IP (tos 0x0, ttl 64, id 25750, offset 0, flags [DF], proto GRE (47), length 44)
5.5.5.5 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call 0,
seq 10, length 24
unknown ctrl-proto (0x80fd), Conf-Request (0x01), id 1, length 12
encoded length 10 (=Option(s) length 6)
0x0000: 80fd 0101 000a
MPPC Option (0x12), length 6:
0x0000: 0100 0040
IP (tos 0x0, ttl 61, id 29436, offset 0, flags [DF], proto GRE (47), length 32)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, ack present], call 8192, ack
10, no-payload, length 12
IP (tos 0x0, ttl 61, id 29437, offset 0, flags [DF], proto GRE (47), length 49)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, sequence# present], call 8192,
seq 10, length 29
unknown ctrl-proto (0x80fd), Conf-Request (0x01), id 1, length 17
encoded length 15 (=Option(s) length 11)
0x0000: 80fd 0101 000f
Deflate Option (0x1a), length 4:
0x0000: 7800
MVRCA Option (0x18), length 4:
0x0000: 7800
BSD-Comp Option (0x15), length 3:
0x0000: 2f
IP (tos 0x0, ttl 61, id 29438, offset 0, flags [DF], proto GRE (47), length 62)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, sequence# present], call 8192,
seq 11, length 42
IPCP, Conf-Request (0x01), id 1, length 30
encoded length 28 (=Option(s) length 24)
0x0000: 8021 0101 001c
IP-Comp Option (0x02), length 6: VJ-Comp (0x2d):
0x0000: 002d 0f01
IP-Addr Option (0x03), length 6: 0.0.0.0
0x0000: 0000 0000
Pri-DNS Option (0x81), length 6: 0.0.0.0
0x0000: 0000 0000
Sec-DNS Option (0x83), length 6: 0.0.0.0
0x0000: 0000 0000
IP (tos 0x0, ttl 61, id 29439, offset 0, flags [DF], proto GRE (47), length 44)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, sequence# present], call 8192,
seq 12, length 24
unknown ctrl-proto (0x80fd), Conf-Reject (0x04), id 1, length 12
encoded length 10 (=Option(s) length 6)
0x0000: 80fd 0401 000a
MPPC Option (0x12), length 6:
0x0000: 0100 0040
IP (tos 0x0, ttl 64, id 25751, offset 0, flags [DF], proto GRE (47), length 85)
5.5.5.5 > 2.2.2.2: GREv1, Flags [key present, sequence# present, ack
present], call 0, seq 11, ack 12, length 65
LCP, Term-Request (0x05), id 3, length 47
encoded length 45 (=Option(s) length 41)
0x0000: c021 0503 002d
IP (tos 0x0, ttl 64, id 25752, offset 0, flags [DF], proto GRE (47), length 51)
5.5.5.5 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call 0,
seq 12, length 31
unknown ctrl-proto (0x80fd), Conf-Reject (0x04), id 1, length 17
encoded length 15 (=Option(s) length 11)
0x0000: 80fd 0401 000f
Deflate Option (0x1a), length 4:
0x0000: 7800
MVRCA Option (0x18), length 4:
0x0000: 7800
BSD-Comp Option (0x15), length 3:
0x0000: 2f
IP (tos 0x0, ttl 61, id 29440, offset 0, flags [DF], proto GRE (47), length 32)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, ack present], call 8192, ack
12, no-payload, length 12
IP (tos 0x0, ttl 61, id 29441, offset 0, flags [DF], proto GRE (47), length 40)
2.2.2.2 > 5.5.5.5: GREv1, Flags [key present, sequence# present], call 8192,
seq 13, length 20
LCP, Term-Ack (0x06), id 3, length 6
IP (tos 0x0, ttl 64, id 26677, offset 0, flags [DF], proto TCP (6), length 52)
5.5.5.5.1723 > 2.2.2.2.60970: Flags [F.], cksum 0xf3e6 (incorrect -> 0x568d),
seq 189, ack 325, win 1039, options [nop,nop,TS val 2158915665 ecr 58829167],
length 0
IP (tos 0x0, ttl 61, id 15907, offset 0, flags [DF], proto TCP (6), length 68)
2.2.2.2.60970 > 5.5.5.5.1723: Flags [P.], cksum 0x0286 (correct), seq
325:341, ack 190, win 60, options [nop,nop,TS val 58829468 ecr 2158915665],
length 16: pptp Length=16 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=CCRQ
CALL_ID(0)
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
5.5.5.5.1723 > 2.2.2.2.60970: Flags [R], cksum 0xef41 (correct), seq
3467249998, win 0, length 0
IP (tos 0x0, ttl 61, id 15908, offset 0, flags [DF], proto TCP (6), length 52)
2.2.2.2.60970 > 5.5.5.5.1723: Flags [F.], cksum 0x5922 (correct), seq 341,
ack 190, win 60, options [nop,nop,TS val 58829468 ecr 2158915665], length 0
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
5.5.5.5.1723 > 2.2.2.2.60970: Flags [R], cksum 0xef41 (correct), seq
3467249998, win 0, length 0
As we can see, PPTP server accept auth from client and then connection lost.
--
Yours sincerely,
Denis Lotarev
________________________________
On Tuesday, June 20, 2017, 12:13:13 PM GMT+5, Ole Troan <otr...@employees.org>
wrote:
Hi Denis,
Thanks a lot for testing!
> 1st scheme:
> Machine A (inside VPP with 1:1 static mapping) running PPTP _server_.
> Machine B (outside VPP with 1:1 iptables static mapping) running PPTP client.
> This scheme works well.
Splendid.
> 2st scheme:
> Machine A (inside VPP with 1:1 static mapping) running PPTP _client_.
> Machine B (outside VPP with public ip) as hardware PPTP server. This scheme
> works well. But only one session allowed. If we are create second connection
> from Machine A to Machine C (outside VPP with public ip) this will not work.
> OFC this is not required.
Hmm... that seems like a bug. Let's see if we can reproduce. The NAT session
entry is indexed on the outside by SA, DA and IP protocol so this should have
worked.
> 3st scheme:
> Machine A (inside VPP with 1:1 static mapping) running PPTP _server_.
> Machine B (inside VPP with 1:1 static mapping) running PPTP _client_.
> Maching B cannot connect to Machine A. This may cover hairpin nat issue.
> OFC this machines can doing connection via local addressing and it will be
> work.
Same here. This should work. Let's figure this one out too.
> BTW, we are not testing yet technology when we SNAT two pptp clients in
> iptables mechanism (and those clients snatt (-ing) with one public address).
Best regards,
Ole
_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
