Personal website of Dave Hope » Routing http://davehope.co.uk Open source projects, sysadmin stuff and general geekage Tue, 18 May 2010 11:46:44 +0000 en hourly 1 Juniper SSG140 PPTP Routing http://davehope.co.uk/Blog/juniper-ssg140-pptp-routing/ http://davehope.co.uk/Blog/juniper-ssg140-pptp-routing/#comments Wed, 30 Jul 2008 07:05:00 +0000 Dave http://davehope.co.uk/?p=77 At work I’ve just replaced a custom Linux box I’ve been running as our firewall and proxy with a Juniper Netscreen SSG140. I had a few problems forwarding PPTP traffic so thought I’d document the problems I came across and the solutions.

PPTP Forwarding

Firstly, I was having problems even forwarding the PPTP traffic. I’d initially setup a VIP on the external interface forwarding a custom PPTP service :

IP (47) src port: 2048-2048, dst port: 2048-2048
TCP src port: 0-65535, dst port: 1723-1723

I’d then setup a Policy to allow the relevant traffic through. Alas, no such luck. Ditching the VIP and having a fixed IP for VPN traffic seemed to work. To put it simply, use MIP rather than VIP.

Routing PPTP traffic for site to site links

The second problem was a little weird. At the moment we use MS-RAS for site to site links, I’d created a route on the Netscreen which was working, but connections would drop after a very short period of time (say 20 seconds). The routing was as follows (outbound shown in green, reutn shown in red).

Routing problem on SSG140

Thankfully the solution wasn’t too messy. Since the Netscreen was missing the return traffic it was dropping the connections. The solution is to log into the Netscreen via telnet and issue the following command:

unset flow tcp-syn-check

As if by magic, everything now works.

]]> http://davehope.co.uk/Blog/juniper-ssg140-pptp-routing/feed/ 0