Hello there,
"... Please consider loading the specific helper module."
$ grep 47 /etc/protocols gre 47 GRE # Generic Routing Encapsulation
https://en.wikipedia.org/wiki/Generic_Routing_Encapsulation "In conjunction with PPTP to create VPNs."
= Brief analysis and diagnosis:
- Point-to-Point Tunneling Protocol (PPTP) Client:
$ firewall-cmd --version 0.4.4.3 $ pptp --version pptp version 1.9.0 $ nmcli --version nmcli tool, version 1.7.1-0.9.20170224git9138967.fc24
$ firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT success $ firewall-cmd --reload success
$ nmcli connection up pptp ifname enp2s5 Error: Connection activation failed: the VPN service stopped unexpectedly.
$ journalctl -b -u NetworkManager.service -o cat [...] LCP: timeout sending Config-Requests LCP: timeout sending Config-Requests ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect' Connection terminated.
- PoPToP Point to Point Tunneling Server:
$ firewall-cmd --version 0.4.4.3 $ pptpd --version pptpd v1.4.0
$ systemctl is-active firewalld pptpd active active
$ firewall-cmd --get-automatic-helpers yes $ firewall-cmd --list-ports [...] 1723/tcp
$ grep -a pptp /var/log/firewalld 2017-02-27 19:58:41 DEBUG1: nf_conntrack_pptp: pptp 2017-02-27 19:58:41 DEBUG1: Loading helper file '/usr/lib/firewalld/helpers/pptp.xml' 2017-02-27 19:58:41 DEBUG1: config.HelperAdded('pptp')
$ dmesg -T | grep conntrack [Mon Feb 27 19:58:40 2017] nf_conntrack version 0.5.0 (16384 buckets, 65536 max) [Mon Feb 27 19:59:05 2017] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module.
= Conclusion:
As already concluded, what is needed: # modprobe nf_conntrack_pptp # modinfo nf_conntrack_pptp | grep 'description|depends' description: Netfilter connection tracking helper module for PPTP depends: nf_conntrack,nf_conntrack_proto_gre
OR perhaps, how proto GRE is set on PPTP Client, to do the same on PTPP Server: $ firewall-cmd --direct --get-all-rules ipv4 filter INPUT 0 -p gre -j ACCEPT
OR leave as is - for security's sake; "PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead." http://poptop.sourceforge.net/dox/protocol-security.phtml
Ref. "netfilter: conntrack: disable generic tracking for known protocols" https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/n... "netfilter: conntrack: warn the user if there is a better helper to use" https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/n... "LCP: timeout sending Config-Requests" http://pptpclient.sourceforge.net/howto-diagnosis.phtml#lcp_timeout
On 27.02.2017 22:58, poma wrote:
Hello there,
"... Please consider loading the specific helper module."
$ grep 47 /etc/protocols gre 47 GRE # Generic Routing Encapsulation
https://en.wikipedia.org/wiki/Generic_Routing_Encapsulation "In conjunction with PPTP to create VPNs."
= Brief analysis and diagnosis:
- Point-to-Point Tunneling Protocol (PPTP) Client:
$ firewall-cmd --version 0.4.4.3 $ pptp --version pptp version 1.9.0 $ nmcli --version nmcli tool, version 1.7.1-0.9.20170224git9138967.fc24
$ firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT success $ firewall-cmd --reload success
$ nmcli connection up pptp ifname enp2s5 Error: Connection activation failed: the VPN service stopped unexpectedly.
$ journalctl -b -u NetworkManager.service -o cat [...] LCP: timeout sending Config-Requests LCP: timeout sending Config-Requests ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect' Connection terminated.
- PoPToP Point to Point Tunneling Server:
$ firewall-cmd --version 0.4.4.3 $ pptpd --version pptpd v1.4.0
$ systemctl is-active firewalld pptpd active active
$ firewall-cmd --get-automatic-helpers yes $ firewall-cmd --list-ports [...] 1723/tcp
$ grep -a pptp /var/log/firewalld 2017-02-27 19:58:41 DEBUG1: nf_conntrack_pptp: pptp 2017-02-27 19:58:41 DEBUG1: Loading helper file '/usr/lib/firewalld/helpers/pptp.xml' 2017-02-27 19:58:41 DEBUG1: config.HelperAdded('pptp')
$ dmesg -T | grep conntrack [Mon Feb 27 19:58:40 2017] nf_conntrack version 0.5.0 (16384 buckets, 65536 max) [Mon Feb 27 19:59:05 2017] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module.
= Conclusion:
As already concluded, what is needed: # modprobe nf_conntrack_pptp # modinfo nf_conntrack_pptp | grep 'description|depends' description: Netfilter connection tracking helper module for PPTP depends: nf_conntrack,nf_conntrack_proto_gre
OR perhaps, how proto GRE is set on PPTP Client, to do the same on PTPP Server: $ firewall-cmd --direct --get-all-rules ipv4 filter INPUT 0 -p gre -j ACCEPT
OR leave as is - for security's sake; "PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead." http://poptop.sourceforge.net/dox/protocol-security.phtml
Ref. "netfilter: conntrack: disable generic tracking for known protocols" https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/n... "netfilter: conntrack: warn the user if there is a better helper to use" https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/n... "LCP: timeout sending Config-Requests" http://pptpclient.sourceforge.net/howto-diagnosis.phtml#lcp_timeout
[PATCH] Adds Point-to-Point Tunneling Protocol (PPTP) as a service. By enabling service, appropriate kernel modules will be loaded, to achieve the operating state of the service itself.
--- config/Makefile.am | 1 + config/services/pptp.xml | 8 ++++++++ po/POTFILES.in | 1 + 3 files changed, 10 insertions(+) create mode 100644 config/services/pptp.xml
diff --git a/config/Makefile.am b/config/Makefile.am index f05caf6..bb33846 100644 --- a/config/Makefile.am +++ b/config/Makefile.am @@ -181,6 +181,7 @@ CONFIG_FILES = \ services/pop3s.xml \ services/pop3.xml \ services/postgresql.xml \ + services/pptp.xml \ services/privoxy.xml \ services/proxy-dhcp.xml \ services/ptp.xml \ diff --git a/config/services/pptp.xml b/config/services/pptp.xml new file mode 100644 index 0000000..061c85d --- /dev/null +++ b/config/services/pptp.xml @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="utf-8"?> +<service> + <short>PPTP</short> + <description>Point-to-Point Tunneling Protocol (PPTP) is a method for implementing Virtual Private Network (VPN). PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. If you plan to allow compatible Microsoft VPN clients to connect to an internal firewalled network, enable this option. You need the Poptop - The PPTP Server for Linux (pptpd) package installed for this option to be useful.</description> + <port protocol="tcp" port="1723"/> + <port protocol="udp" port="1723"/> + <module name="nf_conntrack_pptp"/> +</service> diff --git a/po/POTFILES.in b/po/POTFILES.in index 12cdbf2..fd9137d 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -31,6 +31,7 @@ config/services/nfs.xml config/services/ntp.xml config/services/openvpn.xml config/services/pop3s.xml +config/services/pptp.xml config/services/radius.xml config/services/samba-client.xml config/services/samba.xml
On 28.02.2017 19:03, poma wrote:
On 27.02.2017 22:58, poma wrote:
Hello there,
"... Please consider loading the specific helper module."
$ grep 47 /etc/protocols gre 47 GRE # Generic Routing Encapsulation
https://en.wikipedia.org/wiki/Generic_Routing_Encapsulation "In conjunction with PPTP to create VPNs."
= Brief analysis and diagnosis:
- Point-to-Point Tunneling Protocol (PPTP) Client:
$ firewall-cmd --version 0.4.4.3 $ pptp --version pptp version 1.9.0 $ nmcli --version nmcli tool, version 1.7.1-0.9.20170224git9138967.fc24
$ firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT success $ firewall-cmd --reload success
$ nmcli connection up pptp ifname enp2s5 Error: Connection activation failed: the VPN service stopped unexpectedly.
$ journalctl -b -u NetworkManager.service -o cat [...] LCP: timeout sending Config-Requests LCP: timeout sending Config-Requests ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect' Connection terminated.
- PoPToP Point to Point Tunneling Server:
$ firewall-cmd --version 0.4.4.3 $ pptpd --version pptpd v1.4.0
$ systemctl is-active firewalld pptpd active active
$ firewall-cmd --get-automatic-helpers yes $ firewall-cmd --list-ports [...] 1723/tcp
$ grep -a pptp /var/log/firewalld 2017-02-27 19:58:41 DEBUG1: nf_conntrack_pptp: pptp 2017-02-27 19:58:41 DEBUG1: Loading helper file '/usr/lib/firewalld/helpers/pptp.xml' 2017-02-27 19:58:41 DEBUG1: config.HelperAdded('pptp')
$ dmesg -T | grep conntrack [Mon Feb 27 19:58:40 2017] nf_conntrack version 0.5.0 (16384 buckets, 65536 max) [Mon Feb 27 19:59:05 2017] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module.
= Conclusion:
As already concluded, what is needed: # modprobe nf_conntrack_pptp # modinfo nf_conntrack_pptp | grep 'description|depends' description: Netfilter connection tracking helper module for PPTP depends: nf_conntrack,nf_conntrack_proto_gre
OR perhaps, how proto GRE is set on PPTP Client, to do the same on PTPP Server: $ firewall-cmd --direct --get-all-rules ipv4 filter INPUT 0 -p gre -j ACCEPT
OR leave as is - for security's sake; "PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead." http://poptop.sourceforge.net/dox/protocol-security.phtml
Ref. "netfilter: conntrack: disable generic tracking for known protocols" https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/n... "netfilter: conntrack: warn the user if there is a better helper to use" https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/n... "LCP: timeout sending Config-Requests" http://pptpclient.sourceforge.net/howto-diagnosis.phtml#lcp_timeout
[PATCH] Adds Point-to-Point Tunneling Protocol (PPTP) as a service. By enabling service, appropriate kernel modules will be loaded, to achieve the operating state of the service itself.
config/Makefile.am | 1 + config/services/pptp.xml | 8 ++++++++ po/POTFILES.in | 1 + 3 files changed, 10 insertions(+) create mode 100644 config/services/pptp.xml
diff --git a/config/Makefile.am b/config/Makefile.am index f05caf6..bb33846 100644 --- a/config/Makefile.am +++ b/config/Makefile.am @@ -181,6 +181,7 @@ CONFIG_FILES = \ services/pop3s.xml \ services/pop3.xml \ services/postgresql.xml \
- services/pptp.xml \ services/privoxy.xml \ services/proxy-dhcp.xml \ services/ptp.xml \
diff --git a/config/services/pptp.xml b/config/services/pptp.xml new file mode 100644 index 0000000..061c85d --- /dev/null +++ b/config/services/pptp.xml @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="utf-8"?> +<service>
- <short>PPTP</short>
- <description>Point-to-Point Tunneling Protocol (PPTP) is a method for implementing Virtual Private Network (VPN). PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. If you plan to allow compatible Microsoft VPN clients to connect to an internal firewalled network, enable this option. You need the Poptop - The PPTP Server for Linux (pptpd) package installed for this option to be useful.</description>
<port protocol="tcp" port="1723"/>
<port protocol="udp" port="1723"/>
<module name="nf_conntrack_pptp"/>
+</service> diff --git a/po/POTFILES.in b/po/POTFILES.in index 12cdbf2..fd9137d 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -31,6 +31,7 @@ config/services/nfs.xml config/services/ntp.xml config/services/openvpn.xml config/services/pop3s.xml +config/services/pptp.xml config/services/radius.xml config/services/samba-client.xml config/services/samba.xml
For PPTP Client see: https://mail.gnome.org/archives/networkmanager-list/2017-March/msg00000.html
firewalld-users@lists.stg.fedorahosted.org