Juniper SSG140 PPTP Routing
At work I’ve just replaced a custom Linux box I’ve been running as our firewall and proxy with a Juniper Netscreen SSG140. I had a few problems forwarding PPTP traffic so thought I’d document the problems I came across and the solutions.
PPTP Forwarding
Firstly, I was having problems even forwarding the PPTP traffic. I’d initially setup a VIP on the external interface forwarding a custom PPTP service :
IP (47) src port: 2048-2048, dst port: 2048-2048 TCP src port: 0-65535, dst port: 1723-1723
I’d then setup a Policy to allow the relevant traffic through. Alas, no such luck. Ditching the VIP and having a fixed IP for VPN traffic seemed to work. To put it simply, use MIP rather than VIP.
Routing PPTP traffic for site to site links
The second problem was a little weird. At the moment we use MS-RAS for site to site links, I’d created a route on the Netscreen which was working, but connections would drop after a very short period of time (say 20 seconds). The routing was as follows (outbound shown in green, reutn shown in red).
Thankfully the solution wasn’t too messy. Since the Netscreen was missing the return traffic it was dropping the connections. The solution is to log into the Netscreen via telnet and issue the following command:
unset flow tcp-syn-check
As if by magic, everything now works.