PPTP over 3G connection

J

jersey

Member
Joined
Jul 9, 2004
Messages
17
Reaction score
0
Location
.
Anyone tried?... I am testing PPTP over 3G at the moment. I can freely connect via IBurst (not very happy about consistency of the performance) and via Sentech ( very stable so far) but PPTP connection does not go through masqueraded 3G network. Intersting thing is that i can telnet to my pptp server on port 1723, so the problem is more complex than just opening the port.

3G guys from Vodacom?... any comments?

Best regards
 
jersey said:
Anyone tried?... I am testing PPTP over 3G at the moment. I can freely connect via IBurst (not very happy about consistency of the performance) and via Sentech ( very stable so far) but PPTP connection does not go through masqueraded 3G network. Intersting thing is that i can telnet to my pptp server on port 1723, so the problem is more complex than just opening the port.

3G guys from Vodacom?... any comments?

Best regards
Click to expand...
AFAIK you need to call Vodacom [probably 155] and ask them to switch you over to the InternetVPN ;).
 
Thanx IC... I did phone them... half an our later I was on line :)) I feel like a moron :)))
 
strange thing that... i would think that vodacom would pre configure the apn required as part of the package. i remember last year when the service first launched - i spent hours on the phone with them convincing THEM that the apn was wrong. eventually, i got through to someone who knew was she was talking about - and was fixed chop chop. i am glad to see that customer service is up to speed with this now!
 
ScrnScrm said:
strange thing that... i would think that vodacom would pre configure the apn required as part of the package. i remember last year when the service first launched - i spent hours on the phone with them convincing THEM that the apn was wrong. eventually, i got through to someone who knew was she was talking about - and was fixed chop chop. i am glad to see that customer service is up to speed with this now!
Click to expand...

Hey ScrnScrm,

I think Vodacom is protecting you from hackers etc. Look at you IP on the internet apn vs internetvpn apn - the last is public and has the right protocol active (83 iirc)

Later !
 
Tazz_Tux said:
Hey ScrnScrm,

I think Vodacom is protecting you from hackers etc. Look at you IP on the internet apn vs internetvpn apn - the last is public and has the right protocol active (83 iirc)

Later !
Click to expand...

Yip, that they are. And conserving precious legal IPs :D But then why block ports on the NAT device anyway? Not even necessary to have a legal IP if the firewall is configured correctly...
 
You're spot-on on the preserving IP's, but there's no port blocking that I'm aware of.

What often happens (not sure if applicable here) is that the client application carries the hosts' IP in it's payload, so it does not get NATed, while in the IP portion (network layer) it does.

The server then sees two conflicting IP addresses (NATed one in the header and native in the payload), gets very confused and won't establish a connection.

For these applications, we then move you to the internetvpn APN.
 
vodacom3g said:
You're spot-on on the preserving IP's, but there's no port blocking that I'm aware of.

What often happens (not sure if applicable here) is that the client application carries the hosts' IP in it's payload, so it does not get NATed, while in the IP portion (network layer) it does.

The server then sees two conflicting IP addresses (NATed one in the header and native in the payload), gets very confused and won't establish a connection.

For these applications, we then move you to the internetvpn APN.
Click to expand...

hey v3g,

When I tried it I couldn't connect to my device connected to the vpn apn, maybe things have changed...

Later,
 
Actually, for PPTP to work you don't _need_ a public IP. Instead Vodacom need to just support PPTP tracking on their NAT gateways. So for those of us who want to be able to connect to PPTP VPNs there is no real good news.

Connecting to the internetvpn APN may or may not help currently, but the point is that we should be able to connect even over the NATed network.

PPTP established a control connection over TCP, but the actual point-to-point data travels over GRE (protocol=41). Thus the NAT gateway needs to not only track the TCP connection as it's doing currently but it also needs to allow (and redirect) GRE traffic associated with the PPTP connection.

The GRE traffic at this point gets allowed out from the private network, and arrives at the PPTP server, the server (mine at least) responds correctly as the source-IP address of the GRE packet was SNATed correctly, however, the response never reaches my notebook.
 
Ok, I've just had a very long talk with various Vodacom technicians and finally spoke with a helpful person. To prevent him being flooded I'll rather not mention his name.

Status is as follows:

internet apn: allows outbound tcp and udp connections on any/all ports. no GRE/AH/ESP (required for PPTP or IPSec VPNs, although, a IPSec client capable of using NAT traversal on port 4500 may still function if the server has NAT traversal enabled on port 4500).

internetvpn apn: as above, except _all_ inbound GRE traffic is also allowed. Thus: only connect to the internetvpn apn when you intend to actually connect to a VPN.

unrestricted: totally open.

This is probably old news for most though. What is a bit strange is that they claim to be doing "related traffic" tracking, which presumably fixes some issues protocols like ftp may be seeing with active ftp connections (ie, server establishes data connection), but based on what I've seen I wouldn't be surprised if this was in fact not true.

The reason I say strange is because I can punch GRE traffic to any of the internetvpn apn IPs and it actually gets through to the client. Thus a potential DoS on their internetvpn clients would simply be to flood it with random GRE traffic. This would also have serious cost implications for their clients.

Thus also makes is an almost useless solution for fail-over for corporate environments as it's not really possible to CAP your risk in terms of cost on your fail-over account in the case where the account remains idle. Not unless you do an on-demand dialing, which is probably not a bad idea anyway, except you probably want incoming connections to be accepted which means you want to auto-dial immediately when your primary connection goes down.
 
jkroon said:
Ok, I've just had a very long talk with various Vodacom technicians and finally spoke with a helpful person. To prevent him being flooded I'll rather not mention his name.

Status is as follows:

internet apn: allows outbound tcp and udp connections on any/all ports. no GRE/AH/ESP (required for PPTP or IPSec VPNs, although, a IPSec client capable of using NAT traversal on port 4500 may still function if the server has NAT traversal enabled on port 4500).

internetvpn apn: as above, except _all_ inbound GRE traffic is also allowed. Thus: only connect to the internetvpn apn when you intend to actually connect to a VPN.

unrestricted: totally open.

This is probably old news for most though. What is a bit strange is that they claim to be doing "related traffic" tracking, which presumably fixes some issues protocols like ftp may be seeing with active ftp connections (ie, server establishes data connection), but based on what I've seen I wouldn't be surprised if this was in fact not true.

The reason I say strange is because I can punch GRE traffic to any of the internetvpn apn IPs and it actually gets through to the client. Thus a potential DoS on their internetvpn clients would simply be to flood it with random GRE traffic. This would also have serious cost implications for their clients.

Thus also makes is an almost useless solution for fail-over for corporate environments as it's not really possible to CAP your risk in terms of cost on your fail-over account in the case where the account remains idle. Not unless you do an on-demand dialing, which is probably not a bad idea anyway, except you probably want incoming connections to be accepted which means you want to auto-dial immediately when your primary connection goes down.
Click to expand...

Which is the way I would expect any network manager to set it up, surely?
 
thought of IP-in-IP tunneling ?

The problem with GRE is that it's a protocol (protocol 0x40 iirc), not really a statefull one either (atleast as far as a firewall is aware)

Vodacom - like most other big networks will run hardware firewalls - these aren't really as easy to update as software firewalls (iptables,netfilter,ipfw etc - yes, Linux firewalls, Windows isn't in the picture right now).

Taken from the release notes of netfilter (the creators of iptables) they included support for GRE in 2002, yet I am yet to see a site running it (might be because of lack of trying on my side :) )

Anycase - long story short - try as they might, Vodacom can't block inbound GRE traffic ("out of connection traffic") until the hardware vendors release the updates for it.

P.S. unconfirmed - I can't remember if GRE is encrypted, if it is, which I am sure it is, the router can't decode the packets since it's encryted - same as https etc.
P.P.S Maybe read up on GRE - I did it a while ago and right now the mind is not in a state to really recall all the facts etc.

Laterz !
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X