[ previous ] [ next ] [ threads ]
 
 From:  "Brandon Kahler" <bkahler at techline dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Standalone PPTP/IPsec Server: Questions on setup
 Date:  Tue, 14 Feb 2006 14:53:44 -0800
I've found some more information.

I've been doing some additional testing internally from another firewalled
segment.
I found a duplex mismatch that was causing problems.

Here is an updated diagram of what is going on:
http://members.arstechnica.com/x/bobdole/M0n0wall_VPN_Mailing_List_Question_
2.jpg

I can send from the inside to the PPTP client at ~40Mbps using iperf.
The same PPTP client to the inside can barely muster 1Kbps using iperf (same
settings).

I've watched packet captures of the PPP/SLIP interface of the WinXP client.
Once an iperf session is initiated only ~10 packets make it through, then
its nothing but TCP retransmission requests and PPP LC echo request/replies.

I've enabled "allow fragmented packets" for all the Any/Any rules but not
much changed.

Any suggestions?

-----Original Message-----
From: Brandon Kahler [mailto:bkahler at techline dot com]
Sent: Tuesday, February 07, 2006 6:50 PM
To: bkahler at techline dot com; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Standalone PPTP/IPsec Server: Questions on setup


Ok, so I've fixed a few things, learned a few things, and have other
questions.

It seems I totally missed making Any/Any rules for the PPTP interface.
Ooops!
Traffic flows now from a PPTP client to the internal networks, and vice
versa.  ICMP from any host to any other host without issue.

This is where more trouble begins.  It's dog slow :(
In my testing all of this took place on a 100Mbps LAN (even testing from
outside the PIX as a remote client).
The tunnel comes up fine, but passing traffic is like pulling teeth.  I did
some iperf tests and got back some strange results.

iperf from the internal network to the PPTP client I can get ~1.5 Mbits/sec
(I was expecting far more)
iperf from the PPTP client to the internal network I can get 800 bits/sec!

Even watching the PPTP interface statistics in Windows shows a massive
difference between received packets and sent packets.  Where received is in
the millions sent is barely breaking 30,000.  So what gives?

It doesn't appear to be cpu or memory on m0n0wall (1Ghz P3, 256MB, fxp NICs)

Any reason one side of the tunnel would work better than the other?


***Update***
Well now this is interesting.  I just tried the same PPTP connection from
home (DSL 1.5/256) and I'm getting a full 256kbps sending with iperf to the
internal network.  Hrm.. perhaps I should revisit the setup at work where I
was testing my client from.


Brandon,


-----Original Message-----
From: bkahler at techline dot com [mailto:bkahler at techline dot com]
Sent: Tuesday, February 07, 2006 10:11 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Standalone PPTP/IPsec Server: Questions on setup


I've been trying to setup a standalone PPTP/IPsec server off a stub segment
at
work.  I want an external client to be able to access anything on the
internal
network through PPTP (and eventually site-to-site IPsec tunnels as well).
I've
included a Visio drawing that should explain what I'm trying to do.

http://members.arstechnica.com/x/bobdole/M0n0wall_VPN_Mailing_List_Question.
gif

Here's what I've got:
PIX 515E Boarder Firewall
3662 Internal Router
Internal Network (consisting of two subnets [secondary addressing]) directly
attached to Fa0/1
A route statement to the OPT1 interface of the m0n0wall (NAT turned off,
Any/Any
Firewall Rules)

External clients can connect via PPTP to the OPT1 interface just fine.  The
two
ACLs on the PIX are in place for Any/PPTP and Any/GRE to OPT1.
When the tunnel comes up the DNS server is always listed as the LAN
interface
(instead of the two specified DNS servers)
No traffic wants to pass in/out of the tunnel.

I can access both the WAN and OPT1 interfaces from anywhere on the internal
network for management/ICMP just fine.  Routing is working fine.

What am I doing wrong or can this not be done?




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch