Wednesday, June 28, 2006

Netscreen 5GT Firewall & PPTP

It seems the Netscreen 5GT doesn't like PPTP VPN pass-throughs.

When I mentioned to the people who support our hospitality product that I was looking at a Netscreen as a possible alternative to the Cisco 1811, they told me that they'd looked at one previously but rejected it because it blocked outgoing PPTP sessions. I was skeptical and asked for more information.

They told me that the Netscreen would allow the outbound request to initiate a PPTP session but blocked the incoming IP Protocol 47 - GRE necessary to establish the session. They'd experienced this with a Cisco PIX as well, although I think Cisco subsequently issued a patch to the PIX firmware to address the issue.

Anyway, this morning I configured one of our SMC8014 modems as a PPTP server and tried to reach it from an XP box located behind the 5GT. No dice. The 8014 saw the incoming request but apparently the 5GT is blocking the incoming GRE traffic, just like the aforementioned PIX was.

To verify that the 8014 was setup properly I initiated PPTP sessions to it after connecting the XP box to a different 8014, and then a Motorola Surfboard. Yep, it's working correctly.

So, I emailed my contact at Juniper about this (I'd given him a heads up over lunch yesterday). If they fix it, great. If not, it's a show-stopper. We can't block hotel guests from contacting Microsoft VPNs.


Anonymous said...

Have you ever heard back from Netscreen on this one?

I am dealing with the same issue.

Anonymous said...

Several people seem to be having trouble making their PPTP client work from behind a netscreen. PPTP uses port 1723/tcp and the GRE protocol (IP type 47, NOT port 47). GRE is an IP type, just like TCP and UDP are both IP types. Since GRE is a portless protocol, the NetScreen doesn’t know where to send the packet back to when it is performing NAT to a single IP address (PAT, port address translation) on the outside. There are 3 solutions to this:

1. Create a MIP for each machine that needs to run a PPTP client effectively giving the machine its own public IP
2. Create a DIP pool for outbound NAT so each machine gets a dynamically assigned public IP from your DIP pool
3. Create a VIP for GRE and forward that traffic to the host running the client

The first and second options require you to have a block of IP space. If you have a single IP or are using DHCP from your ISP, you will need to go with option 3. The drawback to option 3 is that only one machine will ever be able to use a PPTP client. Options 1 and 2 are fairly self explanatory, and I won't cover those here. So, if you need to create a VIP, here is what needs to be done:

1. Log into the Netscreen via telnet or ssh and issue the "set vip multi-port" command and save the config. You will have to reboot the unit for it to take effect.
2. Create a new service object called GRE. Instead of TCP or UDP, set the IP type to 47. Set the source and destination ports to 2048. Even though GRE does not have ports, you must set this.
3. Create a new VIP on your external interface. Select your GRE service, and put in the IP of the internal machine running the PPTP client.
4. Create a new policy from Untrust->Global. Source can be ANY, or it can be the PPTP server you are talking to. Destination should be the VIP. Service should be your newly created GRE object.

That's it. PPTP should work from the internal host.

killerkadoogan said...

Thanks for that. I can confirm taht option 3 works for me.
I have a pppoe IP address from an ADSL provider, a VIP "same as untrust interface" and have now added a customer protocol GRE (ip-47) as one of the 3 available VIP services, natting to the internal IP of this PC. And it works :)



Anonymous said...

Worked like a charm :)

Thank you!

Korey said...

I search all day for this! Thank You! Saved my a$$.