Posted: Mon Feb 26, 2007 16:06 Post subject: PPTP VPN: GRE version 5
Hi all,
I'm trying to connect to a PPTP VPN server using WinXP SP2 builtin PPTP client behind a WRT54GL using DD-WRT v24 (beta as of last week).
I can connect normally, however when I start a network intensive application (such as uTorrent or Azureus), the internet connection "dies" after a couple of minutes. I'm not disconnected, however I lose all my vpn connectivity, as I can only ping the VPN gateway, nothing more.
Here's what the router log shows the moment I lose all connectivity:
Code:
Feb 26 01:59:16 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:16 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:16 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:16 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:16 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:16 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:16 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:17 gateway user.warn kernel: unknown GRE version 5
Feb 26 01:59:17 gateway user.warn kernel: unknown GRE version 5
If I remove the router and connect the cable modem directly to the Windows box, everything is fine.
Some have said it looks like the router doesn't support GRE version 5. Is that true? How can I check about this?
Here are some references about this problem. This one is my own topic created on the VPN company forum, and this one is a reference about the same issue.
Search the wiki for router slowdown, try that and report back.
Thanks for answering! Since the first day I had this router, I set the tcp/udp timeouts to 120 and the table size to 4096, as I'm a heavy bittorrent user. I never had problems with the conntrack table being full and I always monitored the number of active IP connections, which is usually below 200.
Now my ISP is doing heavy traffic shaping and the bittorrent encryption is no longer working, so I'm trying to pipe all my traffic thru a VPN to get the speeds I should get. The problem is the connection dies with those messages a couple of minutes after I start my bittorent client.
Joined: 07 Jun 2006 Posts: 1488 Location: the Netherlands
Posted: Mon Feb 26, 2007 16:28 Post subject:
Is there any process using alot of CPU power while downloading? eg bctrl or something like that? _________________ Firmware: DD-WRT v24-sp2 (latest available) mega
WRT320N
What I noticed is sometimes I get a burst of these messages on the router's log but the connection is still alive. Then after a little while, the log gets flooded with the messages and the connection is gone (though not really disconnected or hung up).
Joined: 07 Jun 2006 Posts: 1488 Location: the Netherlands
Posted: Tue Feb 27, 2007 14:23 Post subject:
Phew, I must honestly say I'm stumbled. I have no idea what could cause this, the proccesses are still running? And what if you start your PPTP client in debug mode? _________________ Firmware: DD-WRT v24-sp2 (latest available) mega
WRT320N
Phew, I must honestly say I'm stumbled. I have no idea what could cause this, the proccesses are still running? And what if you start your PPTP client in debug mode?
Yeah, me too.
Here's what the pptp client shows when the router starts complaining about the unkown GRE version:
Diagnosis: the PPTP Server has negotiated 40-bit MPPE, but the client has negotiated 128-bit MPPE. The protocol reject messages are triggered by the pppd reading the improperly decoded data stream. Cause of this situation is not known, but it may be due to the PPTP Server being configured for 40-bit encryption only.
Which is not the case as the connection is 128-bit.
I know tomato users have the same problem, so maybe it's a netfilter issue?
Connecting from my office, which is a Shorewall firewall (netfilter + iptables, though 2.6 kernel) is trouble-free.
What I noticed is when connecting from the office, there's no need for the "special" vpn modules such as ip_nat_pptp, ip_conntrack_pptp, ip_conntrack_proto_gre and ip_nat_proto_gre. I see these modules are needed when multiple clients behind the same router wish to connect to the same server.
I don't have any need for that, so in order to remove those modules, I need to disable PPTP passthrough. With it disabled I can't connect the VPN anymore, but how come I can connect without the same modules on my office firewall? Maybe there's a way to achieve the same in DD-WRT, does anyone know how?