PPTP, VPN tunel, NAT a MTU (delsi)

Lars lars.cz na gmail.com
Středa Duben 12 13:25:54 CEST 2006 

Dobry den,

resim problem s nasledujici konfiguraci:

klienti
WXP (wifi)    -->   HW AP (NAT) -->  Linux VPN tunel s maskaradou -->
router do UPC (NAT) ->
192.168.2.0/24    192.168.1.4           192.168.1.0/24
           UPC DHCP

Vypada to divoce, ale neni to tak straslive a chodi to. VPN tunel se
pripojuje pres PPTP do firmy a maskaraduje klienty na lokalni siti
(tedy vlastne jen jednu IP, nebot klienti uz za jednim NATem jsou).
Zjednoduseni site neni v tuto chvili mozne.

Na Linuxu je kernel 2.6.15 a nakonfigurovane PPTP spojeni. Klienty je
nutne bud skryt za NAT nebo maskaradu, coz je nastavene pomoci
iptables:

(sit triton je 10.0.0.0/8)

-- skript ip-up ----
/sbin/route add -net triton/8 window 16384 dev ${IFNAME}

# fix path MTU discovery
/sbin/iptables --append FORWARD --protocol tcp --tcp-flags SYN,RST SYN
\
   --jump TCPMSS --clamp-mss-to-pmtu

/sbin/iptables --append OUTPUT --protocol tcp --tcp-flags SYN,RST SYN \
   --jump TCPMSS --clamp-mss-to-pmtu

# output to triton
/sbin/iptables --insert OUTPUT 1 \
   --source 0.0.0.0/0.0.0.0 \
   --destination triton/8 \
   --jump ACCEPT --out-interface ${IFNAME}

/sbin/iptables --append INPUT -m state --state ESTABLISHED,RELATED
--jump ACCEPT
/sbin/iptables --append OUTPUT -m state --state ESTABLISHED,RELATED
--jump ACCEPT
/sbin/iptables --append FORWARD -m state --state ESTABLISHED,RELATED
--jump ACCEPT

#input from triton
/sbin/iptables --append INPUT \
   --source triton/8 \
   --jump ACCEPT --in-interface ${IFNAME}

# forward from any to triton
/sbin/iptables --append FORWARD \
   --destination triton/8 \
   --jump ACCEPT --out-interface ${IFNAME}

# forward from triton to any
/sbin/iptables --append FORWARD \
   --source triton/8 \
   --jump ACCEPT --in-interface ${IFNAME}

# masquerade ppp0
/sbin/iptables --table nat --append POSTROUTING \
   --destination triton/8 \
   --out-interface ${IFNAME} --jump MASQUERADE
------------------------------------

vypis kompletnich iptables

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  triton/8             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             triton/8
ACCEPT     all  --  triton/8             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             triton/8
TCPMSS     tcp  --  anywhere             anywhere            tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             triton/8

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

-------------------------------------

Nereste prosim bezpecnost danych pravidel, o to zatim nejde. Az mi
vsechno pujde spravne, budu utahovat srouby.


Mam potize s velikosti paketu pro to PPTP spojeni. Z one Linuxove
gatewaye si bez problemu pinknu treba 35k velikym paketem - posledni
NAT a UPC to zvlada:

# ping www.seznam.cz -s 35000
PING www.seznam.cz (212.80.76.18) 35000(35028) bytes of data.
35008 bytes from www.seznam.cz (212.80.76.18): icmp_seq=1 ttl=58
time=1098 ms
35008 bytes from www.seznam.cz (212.80.76.18): icmp_seq=3 ttl=58
time=845 ms
35008 bytes from www.seznam.cz (212.80.76.18): icmp_seq=6 ttl=58
time=1100 ms

Do site triton ale plati maximum MTU (nastavene v /etc/ppp/options.pptp
na 1400) minus 32:

# ping 10.0.1.204 -s 1368
PING 10.0.1.204 (10.0.1.204) 1368(1396) bytes of data.
1376 bytes from 10.0.1.204: icmp_seq=1 ttl=128 time=72.2 ms
1376 bytes from 10.0.1.204: icmp_seq=2 ttl=128 time=71.9 ms

--- 10.0.1.204 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 71.919/72.080/72.242/0.313 ms

# ping 10.0.1.204 -s 1369
PING 10.0.1.204 (10.0.1.204) 1369(1397) bytes of data.

--- 10.0.1.204 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms


Potiz je v tom, ze kdyz aplikace na klientu posle vetsi paket nez je
limit na tunelu, tak ten je tise zahozen a aplikace se o tom nedozvi,
takze posila znova a pak skonci.
Omezeni MTU na klientech neni mozne.

Ma otazka tedy zni - jak zajistit, aby se bud klienti dozvedeli o
omezeni MTU, nebo se pakety na VPN tunelu transparentne fragmentovaly a
defragmentovaly (je-li to vubec mozne)? Mam v uvedene konfiguraci
nejakou chybu? Mate nejaka doporuceni?


Dekuji predem za tipy,

Jirka

Další informace o konferenci Linux