PPTP VPN: GRE version 5

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
gmichels
DD-WRT Novice


Joined: 19 Aug 2006
Posts: 15

PostPosted: Mon Feb 26, 2007 16:06    Post subject: PPTP VPN: GRE version 5 Reply with quote
Hi all,

I'm trying to connect to a PPTP VPN server using WinXP SP2 builtin PPTP client behind a WRT54GL using DD-WRT v24 (beta as of last week).

I can connect normally, however when I start a network intensive application (such as uTorrent or Azureus), the internet connection "dies" after a couple of minutes. I'm not disconnected, however I lose all my vpn connectivity, as I can only ping the VPN gateway, nothing more.

Here's what the router log shows the moment I lose all connectivity:
Code:
Feb 26 01:59:16 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:16 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:16 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:16 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:16 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:16 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:16 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:17 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:17 gateway user.warn kernel: unknown GRE version 5

If I remove the router and connect the cable modem directly to the Windows box, everything is fine.

Some have said it looks like the router doesn't support GRE version 5. Is that true? How can I check about this?

Here are some references about this problem. This one is my own topic created on the VPN company forum, and this one is a reference about the same issue.

Thanks!
Sponsor
cyberde
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1488
Location: the Netherlands

PostPosted: Mon Feb 26, 2007 16:08    Post subject: Reply with quote
Search the wiki for router slowdown, try that and report back.
_________________
Firmware: DD-WRT v24-sp2 (latest available) mega
WRT320N

Donater
gmichels
DD-WRT Novice


Joined: 19 Aug 2006
Posts: 15

PostPosted: Mon Feb 26, 2007 16:26    Post subject: Reply with quote
cyberde wrote:
Search the wiki for router slowdown, try that and report back.

Thanks for answering! Since the first day I had this router, I set the tcp/udp timeouts to 120 and the table size to 4096, as I'm a heavy bittorrent user. I never had problems with the conntrack table being full and I always monitored the number of active IP connections, which is usually below 200.

Now my ISP is doing heavy traffic shaping and the bittorrent encryption is no longer working, so I'm trying to pipe all my traffic thru a VPN to get the speeds I should get. The problem is the connection dies with those messages a couple of minutes after I start my bittorent client.

Any other suggestions? Thanks again.
cyberde
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1488
Location: the Netherlands

PostPosted: Mon Feb 26, 2007 16:28    Post subject: Reply with quote
Is there any process using alot of CPU power while downloading? eg bctrl or something like that?
_________________
Firmware: DD-WRT v24-sp2 (latest available) mega
WRT320N

Donater
gmichels
DD-WRT Novice


Joined: 19 Aug 2006
Posts: 15

PostPosted: Mon Feb 26, 2007 22:49    Post subject: Reply with quote
cyberde wrote:
Is there any process using alot of CPU power while downloading? eg bctrl or something like that?

Nope, almost no load at the router.

Code:
Mem: 13260K used, 820K free, 0K shrd, 744K buff, 3224K cached
Load average: 0.04 0.05 0.01

What I noticed is sometimes I get a burst of these messages on the router's log but the connection is still alive. Then after a little while, the log gets flooded with the messages and the connection is gone (though not really disconnected or hung up).
cyberde
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1488
Location: the Netherlands

PostPosted: Tue Feb 27, 2007 14:23    Post subject: Reply with quote
Phew, I must honestly say I'm stumbled. I have no idea what could cause this, the proccesses are still running? And what if you start your PPTP client in debug mode?
_________________
Firmware: DD-WRT v24-sp2 (latest available) mega
WRT320N

Donater
gmichels
DD-WRT Novice


Joined: 19 Aug 2006
Posts: 15

PostPosted: Tue Feb 27, 2007 15:07    Post subject: Reply with quote
cyberde wrote:
Phew, I must honestly say I'm stumbled. I have no idea what could cause this, the proccesses are still running? And what if you start your PPTP client in debug mode?

Yeah, me too.

Here's what the pptp client shows when the router starts complaining about the unkown GRE version:

Code:
rcvd [LCP ProtRej id=0x70 59 ae 22 41 d5 15 51 fc 50 3a 4b 21 ...]
rcvd [LCP ProtRej id=0x71 b5 a7 dc 7d 99 fd eb ec 92 5e 0b b6 ...]
rcvd [LCP ProtRej id=0x72 e9 62 fb 15 c1 b5 e0 b3 92 22 46 1e ...]
rcvd [LCP ProtRej id=0x73 19 3d 51 49 25 4f 25 f9 98 0d 1f 70 ...]
rcvd [LCP ProtRej id=0x74 cc 09 4e a5 62 59 92 cf 88 8d 4b 99 ...]


Which, according to pptpclient's diagnosis page, are caused by:

Quote:
Diagnosis: the PPTP Server has negotiated 40-bit MPPE, but the client has negotiated 128-bit MPPE. The protocol reject messages are triggered by the pppd reading the improperly decoded data stream. Cause of this situation is not known, but it may be due to the PPTP Server being configured for 40-bit encryption only.

Which is not the case as the connection is 128-bit.

I know tomato users have the same problem, so maybe it's a netfilter issue?
gmichels
DD-WRT Novice


Joined: 19 Aug 2006
Posts: 15

PostPosted: Wed Feb 28, 2007 14:10    Post subject: Reply with quote
Connecting from my office, which is a Shorewall firewall (netfilter + iptables, though 2.6 kernel) is trouble-free.

What I noticed is when connecting from the office, there's no need for the "special" vpn modules such as ip_nat_pptp, ip_conntrack_pptp, ip_conntrack_proto_gre and ip_nat_proto_gre. I see these modules are needed when multiple clients behind the same router wish to connect to the same server.

I don't have any need for that, so in order to remove those modules, I need to disable PPTP passthrough. With it disabled I can't connect the VPN anymore, but how come I can connect without the same modules on my office firewall? Maybe there's a way to achieve the same in DD-WRT, does anyone know how?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum