port-i386: GRE through IPNAT firewall

Subject: GRE through IPNAT firewall
To: None <port-i386@netbsd.org>
From: NetBSD Mailing-List <netbsd@kevcom.ca>
List: port-i386
Date: 07/19/2001 22:19:20
I am having the darndest time getting GRE through this NetBSD-1.5.1 box to
its internal network.  I have an NT PPTP server (don't ask) that is
waiting for VPN connections on the inside.  My ipnat.conf looks like this:

map tl0 1.1.1.2/32 -> 0/32 portmap tcp/udp 40000:60000
map tl0 1.1.1.2/32 -> 0/32
rdr tl0 0/0 port 1723 -> 1.1.1.2 port 1723 tcp

tl0 is my external interface (dynamic ip via cable modem) and tl1 is the
internal, with address 1.1.1.1.  The NT server of course is at 1.1.1.2.

When trying to establish a connection from the outside, tcpdump -n proto
47 or port 1723 shows:

(64.55.11.2 is an outside host, and 216.208.177.99 is the IP from the
cable modem side of the firewall)

22:14:04.936089 64.55.11.2.40291 > 216.208.177.99.1723: s
1457222784:1457222784(0) WIN 2920 <MSS 1452,NOP,NOP,SACKok> (df)
22:14:04.936909 216.208.177.99.1723 > 64.55.11.2.40291: s 97123:97123(0)
ACK1457222785 WIN 8712 <MSS 1460> (df)
22:14:05.160763 64.55.11.2.40291 > 216.208.177.99.1723: . ACK 1 WIN 2920
(df)
22:14:05.161427 64.55.11.2.40291 > 216.208.177.99.1723: P 1:157(156) ack 1
win 2920 (DF)
22:14:05.162108 216.208.177.99.1723 > 64.55.11.2.40291: P 1:157(156) ack
157 win 8556 (DF)
22:14:05.249672 64.55.11.2.40291 > 216.208.177.99.1723: P 157:325(168) ack
157 win 2764 (DF)
22:14:05.265804 216.208.177.99.1723 > 64.55.11.2.40291: P 157:189(32) ack
325 win 8388 (DF)
22:14:05.464873 64.55.11.2.40291 > 216.208.177.99.1723: P 325:349(24) ack
189 win 2732 (DF)
22:14:05.464969 64.55.11.2 > 216.208.177.99: gre-proto-0x880B (gre encap)
22:14:05.665200 216.208.177.99.1723 > 64.55.11.2.40291: . ack 349 win 8364
(DF)
22:14:07.428237 64.55.11.2 > 216.208.177.99: gre-proto-0x880B (gre encap)
22:14:10.446061 64.55.11.2 > 216.208.177.99: gre-proto-0x880B (gre encap)
22:14:14.461042 64.55.11.2 > 216.208.177.99: gre-proto-0x880B (gre encap)
22:14:18.459376 64.55.11.2 > 216.208.177.99: gre-proto-0x880B (gre encap)
22:14:22.453706 64.55.11.2 > 216.208.177.99: gre-proto-0x880B (gre encap)
22:14:26.522860 64.55.11.2 > 216.208.177.99: gre-proto-0x880B (gre encap)
22:14:30.474393 64.55.11.2 > 216.208.177.99: gre-proto-0x880B (gre encap)
22:14:34.492490 64.55.11.2 > 216.208.177.99: gre-proto-0x880B (gre encap)
22:14:38.498572 64.55.11.2 > 216.208.177.99: gre-proto-0x880B (gre encap)

So as you can see from above the session on tcp 1723 establishes, but gre
is not translated.  (I recompiled the kernel with "pseudo-device gre 2"
commented out).

Any bit of light shed on this would be greatly appreciated!!

Regards,
Kevin