VPN

So my computer is connected to the monowall through a pptp vpn tunnel.  I have gotten it to work successfully, and stayed on for a reasonable amount of time.  The problem is that when I disconnect my vpn connection, I can't reconnect afterwards.  Sometimes I can't connect at all.  I've tried connecting with multiple computers and get the same result.  I would think that it's not setup right, except that every now and then it does randomly connect.

In the monowall system logs I see:


Oct 29 11:38:26 mpd: MAGICNUM 4a4d5d7f
Oct 29 11:38:26 mpd: PROTOCOMP
Oct 29 11:38:26 mpd: ACFCOMP
Oct 29 11:38:26 mpd: CALLBACK
Oct 29 11:38:26 mpd: Not supported
Oct 29 11:38:26 mpd: [pt0] LCP: SendConfigRej #5
Oct 29 11:38:26 mpd: CALLBACK
Oct 29 11:38:27 mpd: [pt0] LCP: SendConfigReq #154
Oct 29 11:38:27 mpd: ACFCOMP
Oct 29 11:38:27 mpd: PROTOCOMP
Oct 29 11:38:27 mpd: MRU 1500
Oct 29 11:38:27 mpd: MAGICNUM fa59bff0
Oct 29 11:38:27 mpd: AUTHPROTO CHAP MSOFTv2
Oct 29 11:38:27 mpd: MP MRRU 1600
Oct 29 11:38:27 mpd: MP SHORTSEQ
Oct 29 11:38:27 mpd: ENDPOINTDISC [802.1] 00 01 02 71 1e 1d
Oct 29 11:38:29 mpd: [pt0] LCP: state change Req-Sent --> Stopped
Oct 29 11:38:29 mpd: [pt0] LCP: LayerFinish
Oct 29 11:38:29 mpd: [pt0] LCP: parameter negotiation failed
Oct 29 11:38:29 mpd: [pt0] LCP: LayerFinish
Oct 29 11:38:29 mpd: [pt0] device: CLOSE event in state UP
Oct 29 11:38:29 mpd: pptp0-0: clearing call
Oct 29 11:38:29 mpd: pptp0-0: killing channel
Oct 29 11:38:29 mpd: [pt0] PPTP call terminated
Oct 29 11:38:29 mpd: [pt0] IFACE: Close event
Oct 29 11:38:29 mpd: [pt0] IPCP: Close event
Oct 29 11:38:29 mpd: [pt0] IPCP: state change Starting --> Initial
Oct 29 11:38:29 mpd: [pt0] IPCP: LayerFinish
Oct 29 11:38:29 mpd: [pt0] IFACE: Close event
Oct 29 11:38:29 mpd: pptp0: closing connection with 65.100.45.53:4206
Oct 29 11:38:29 mpd: [pt0] IFACE: Close event
Oct 29 11:38:29 mpd: [pt0] device is now in state CLOSING
Oct 29 11:38:29 mpd: [pt0] bundle: CLOSE event in state OPENED
Oct 29 11:38:29 mpd: [pt0] closing link "pt0"...
Oct 29 11:38:29 mpd: [pt0] device: CLOSE event in state CLOSING
Oct 29 11:38:29 mpd: [pt0] device is now in state CLOSING
Oct 29 11:38:29 mpd: [pt0] link: CLOSE event
Oct 29 11:38:29 mpd: [pt0] LCP: Close event
Oct 29 11:38:29 mpd: [pt0] LCP: state change Stopped --> Closed
Oct 29 11:38:29 mpd: [pt0] device: DOWN event in state CLOSING
Oct 29 11:38:29 mpd: [pt0] device is now in state DOWN
Oct 29 11:38:29 mpd: [pt0] link: DOWN event
Oct 29 11:38:29 mpd: [pt0] LCP: Down event
Oct 29 11:38:29 mpd: [pt0] LCP: state change Closed --> Initial
Oct 29 11:38:29 mpd: [pt0] LCP: phase shift ESTABLISH --> DEAD
Oct 29 11:38:29 mpd: [pt0] device: DOWN event in state DOWN
Oct 29 11:38:29 mpd: [pt0] device is now in state DOWN
Oct 29 11:38:29 mpd: [pt0] link: DOWN event
Oct 29 11:38:29 mpd: [pt0] LCP: Down event
Oct 29 11:38:29 mpd: pptp0: killing connection with 65.100.45.53:4206

Obviously 65.100.45.53 is my computer trying to connect.  Can anyone check this out and see what you think?  I don't speak this language but clearly something is not jiving.  Maybe that "Oct 29 11:38:29 mpd: [pt0] LCP: parameter negotiation failed" ??

I just cant understand why this would work intermittantly.  Am I setup wrong somehow or is my monowall hardware failing?

help 

what operating system are you trying to connect from?

what version of monowall are you using?

what settings are you using on the monowall server?

what other services are you running?

do you have any ports forwarded through NAT?

static or dynamic IP?

what operating system are you trying to connect from?
 windows XP pro
what version of monowall are you using?
 monowall 1.22
what settings are you using on the monowall server?
pptp enabled, serveraddress 192.168.0.200, address range 192.168.0.224/28
 all pptp traffic passed to any
what other services are you running?
 only pptp tunnel on the monowall I believe.  I have a 2003 server doing dhcp for the rest of my network.
do you have any ports forwarded through NAT?
nothing set in the NAT section, but 1 tcp port forwarded in the firewall rules for administration
static or dynamic IP?
dynamic wan address, with dyndns setup, I have the same issue whether connecting to the dyndns url or directly to the current ipaddress

I have an identical setup which functions properly however im running 1.32.

Do you have the ability to upgrade the firmware?

it's a weird issue.  I replaced the monowall server I was using with a newer machine today, with v1.32 and restored my configuration settings to the new machine.  It performs exactly the same.  The new machine does work faster, but otherwise no noticeable difference.  Internet routing still works great from the LAN side, but I cant get the VPN to connect.

So it doesn't appear to be my version number or hardware choice.

Here's what happens when I try to connect:

I click to connect with windows vpn client.
Client says connecting, then verifying username and password, then error message says:
----
error connecting
error 619: a connection to the remote computer could not be established, so the port used for this connection was closed.  For further assistance, click More Info or search Help and Support Center for this error number.
----
Then it starts a redial timer and retries the connection after a minute.

I don't know if that potentially sheds any light on anything, but it appears that I'm successfully reaching the monowall if its trying to verify the username and pw.  I have reset the password to make sure that I've got the right pw.  I've tried creating a new user and connecting with that, but no change.

619 is usually caused by a failure to pass GRE data. where are you trying to connect from?

The connections on both sides are provided by qwest dsl modems.  I have tried connecting to the monowall vpn from other sites though, with the same result. 

I did get this to work yesterday though, by removing the pptp rules and disabling the pptp vpn then re-enabling it, and adding the firewall rule back in.  And it worked all night with no issues.  Then I get up this morning, and it no longer works again. 

Like I said, I've replaced the monowall hardware, and upgraded the software from 1.2 to 1.32.  The only thing I haven't replaced in this scenario is the qwest modem that the monowall is plugged into.  I guess that's the next step, though I'm not confident it will fix it.

Anyone have any other ideas?

Illustration:
My Computer > cisco router > qwest dsl modem >>>> INTERNET  >>>> qwest dsl modem > Monowall

what rules have you set up?

I have 2 ports forwarded through inbound nat and wan fw to the perspective computers.  I have 1 port forwarded through wan fw for monowall admin.

I have a couple lan rules setup to allow/disallow certain computers net access.

I have 1 pptp rule to let all pptp traffic in.

I was previously behind a cisco 678 in bridged mode, with the monowall acting as router/fw.  I just replaced my cisco 678 with an actiontec pk5000 and still have the same problem.  So I've now replaced my monowall hardware, bridged mode modem hardware, and upgraded from monowall 1.22 to 1.32.

Another detail:
my network is 192.168.0.0/24;  the pptp server address is 192.168.0.200 and range is set to 192.168.0.224/28 (16 addresses).  I do not have the monowall providing dns for my network, I have a server2k3 machine doing that. 

Hi,
i had the same problem. I found the reason (in my case):
i had on both lan's a firewall (in my case PfSense) which had an enabled pptp connection. When I disabled the pptp server on my side, i could again connect to the other network without a problem. Since i couldn't investigate the problem, i can't say if it is a bug or a configuration problem. But one thing is for sure: both lan's have different internal ip subnetmasks.

Just try it...

good luck!

--tuxfux

Are you saying both lans NEED to have different subnet masks?  right now i have both lans setup with the same 255.255.255.0 subnet mask, though the office network is 192.168.0.0 network and home is 192.168.100.0 network.  Is this my problem?  I will test it tomorrow, but I have successfully connected to the office vpn before with my current network structure. 

Hi Kalon,

sorry my last sentence was wrong. I have the same subnet mask, but not the same subnet. Like in your case.
on my side i have a 172.0.0.0/24 net, while on the other side its a 192.168.146.0/24 net. So i meant different subnets not subnetmasks. sorry.

--tuxfux