Comments on: Cablecom hispeed business blocks GRE packets

By: Lukas Beeler

Lukas Beeler — Wed, 20 Aug 2008 06:27:22 +0000

mousseman,

You can run hping2 -0 -H 47 -d 10 194.88.212.200. You should receive ICMP Packets from 194.88.212.200 “proto unreach”.

However, it is most likely that you will get the same host unreach message as i got, from one of your Cablecom devices. Tell that to support, and the issue should get resolved rather quickly

By: mousseman

mousseman — Tue, 19 Aug 2008 23:20:30 +0000

Update: PPTP VPNs don’t work into any direction anymore. According to a non-Citrix-User (i.e. client-2-site VPN user), it stopped working about three monthes ago.

First, he blamed it onto his UMTS connectivity in Germany (the cell providers have some really funky routing), but then I went down to a ‘known good’ ADSL connection, and it still didn’t work.

However, if I use the WAN subnet with routable IPs, attached to a switch, where the WAN port of the PIX and the Cisco 2600 is attached, it works. Obviously because it doesn’t pass through the 2600.

The NAT question is moot since the VPN endpoint is the PIX WAN interface, and it’s IP is routable (some 77.200.*).

By: Lukas Beeler

Lukas Beeler — Tue, 19 Aug 2008 20:46:35 +0000

Hi,

Hmm, it looks like you are experiencing a different problem than i did.

PPTP always needs in- and outbound GRE packets to work. No matter if they’re incoming or outgoing connections. In my case, ALL outgoing GRE packets were blocked (no matter if they originated from a client or a server).

Are your clients that try using PPTP behind NAT? If so, the problem is most probably your NAT device.

By: mousseman

mousseman — Mon, 18 Aug 2008 06:55:29 +0000

We have NexComm NBG400 CPE, plus a Cisco 2600. Now I heavily suspect the NexComm isn’t the culprit, so this leaves the Cisco 2600. Same symptoms down here:

- inbound GRE seems to work, as PPTP VPNs work
- PPTP conection to a customer VPN doesn’t work
- Cisco IPsec workds dandy

If I can petition CC to give me access to the 2600, I’d know withhin minutes.

By: Lukas Beeler

Lukas Beeler — Sun, 17 Aug 2008 11:03:01 +0000

Hi,

We have an Alcatel CPE, access technology is ADSL2+.

Do you have a Cisco CPE or are using some other access technology?

If other CPEs didn’t have the same behaviour, it would be a pretty clear cut case of human error (though i’d wonder how you make such a mistake). But if other CPE also blocks GRE, then there must be some reason behind it.

By: mousseman

mousseman — Sun, 17 Aug 2008 10:37:31 +0000

Hmmmm….so I’m not the only one who noticed this? How surprising.

I had the same splendid idea one day to use PPTP as we have lots of people with Windows XP and setting up PPTP is the most painless way to connect to our network, seen from the client side.

The inbound site is on a cablecom business network, with an IP rather close to yours, and our firewall is from Cisco. And I know for sure that a Cisco PIX does not block GRE by itself (and it’s left to the really enterprising readers to devise an ACL to do so).

Does your connection use Cisco CPE, or some other brand?