Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Winroute Telnet Session
  •  
Northstar

Messages: 10
Karma: 0
Send a private message to this user
I'm having problems getting a telnet session to connect thru Winroute. The VPN client connects and I can access the machines on the remote network. The log seems to indicate a Packet Drop, dropped by the traffic rules. Can anyone see a problem with the Rules or give any suggestions on what to try?

Attached is a copy of the Traffic Rules
Winroute Ver. 6.6.0 Build 5729

Internet NIC card IP 192.168.2.11

Taken from Debug log.
[05/Jun/2009 08:30:40] {pktdrop} packet dropped: filtered and dropped by traffic rules (from Internet connection, proto:2, len:28, ip:192.168.2.1 -> 224.0.0.1, plen:8)
[05/Jun/2009 08:30:57] {pktdrop} packet dropped: filtered and dropped by traffic rules (from Internet connection, proto:TCP, len:64, ip/port:70.51.20.247:65171 -> 192.168.2.11:135, flags: SYN , seq:679993181 ack:0, win:2304, tcplen:0)
[05/Jun/2009 08:31:40] {pktdrop} packet dropped: filtered and dropped by traffic rules (from Internet connection, proto:2, len:28, ip:192.168.2.1 -> 224.0.0.1, plen:8)

  • Attachment: tr1.jpg
    (Size: 91.21KB, Downloaded 771 times)
  •  
mwalky

Messages: 13
Karma: 0
Send a private message to this user
Northstar,

If you are not using Kerio VPN Server you should rewrite rule for telnet in such way:
Source=Internet NIC, Destination=Firewall, Service=Telnet, Action=Permit, Translation=MAP:<your local telnet server>
For VPN clients you already have the "Local traffic" rule.
Also check that no local telnet server exists, however I don't know if it does matter and turn on logging of dropped packets. Then look at filter.log
Hope these helps.

[Updated on: Fri, 05 June 2009 17:13]

  •  
Northstar

Messages: 10
Karma: 0
Send a private message to this user

No difference. I have noticed that I can't ping the telnet server (192.168.1.30) but I can ping all the other local network machines. The local machines can ping and telnet the server (192.168.1.30)

Debug log
[05/Jun/2009 12:15:57] {pktdrop} packet dropped: TCP sequence/acknowledge numbers out of window (from VPN client Admin, proto:TCP, len:52, ip/port:172.26.203.2:65521 -> 192.168.1.30:23, flags: SYN , seq:2891969900 ack:0, win:8192, tcplen:0)
[05/Jun/2009 12:16:00] {pktdrop} packet dropped: TCP sequence/acknowledge numbers out of window (from VPN client Admin, proto:TCP, len:52, ip/port:172.26.203.2:65521 -> 192.168.1.30:23, flags: SYN , seq:2891969900 ack:0, win:8192, tcplen:0)
[05/Jun/2009 12:16:40] {pktdrop} packet dropped: filtered and dropped by traffic rules (from Internet connection, proto:2, len:28, ip:192.168.2.1 -> 224.0.0.1, plen:8)
[05/Jun/2009 12:17:41] {pktdrop} packet dropped: filtered and dropped by traffic rules (from Internet connection, proto:2, len:28, ip:192.168.2.1 -> 224.0.0.1, plen:8)
[05/Jun/2009 12:18:41] {pktdrop} packet dropped: filtered and dropped by traffic rules (from Internet connection, proto:2, len:28, ip:192.168.2.1 -> 224.0.0.1, plen:8)
[05/Jun/2009 12:18:56] {pktdrop} packet dropped: filtered and dropped by traffic rules (from Internet connection, proto:TCP, len:64, ip/port:74.15.121.121:21782 -> 192.168.2.11:135, flags: SYN , seq:3912224911 ack:0, win:2304, tcplen:0)
[05/Jun/2009 12:19:41] {pktdrop} packet dropped: filtered and dropped by traffic rules (from Internet connection, proto:2, len:28, ip:192.168.2.1 -> 224.0.0.1, plen:8)[/SIZE]
  •  
Northstar

Messages: 10
Karma: 0
Send a private message to this user
The internet connection goes thru a Bell Efficent Networks modem/router with the following port forwarding:
Telnet(23) tcp 192.168.2.11
VPN(4090) tcp&udp 192.168.2.11
Kerio Admin(44333) tcp&udp 192.168.2.11

What other ports are necessary?

Debug log
[05/Jun/2009 12:15:57] {pktdrop} packet dropped: TCP sequence/acknowledge numbers out of window (from VPN client Admin, proto:TCP, len:52, ip/port:172.26.203.2:65521 -> 192.168.1.30:23, flags: SYN , seq:2891969900 ack:0, win:8192, tcplen:0)
  •  
mwalky

Messages: 13
Karma: 0
Send a private message to this user
Northstar,

could you provide the whole picture of how do you connecting networks? What is the address of other NIC in your Kerio Firewall?
Also which groups of interfaces (Trusted Local/Internet/Other) do NICs belong?
I guess the "Local traffic" rule is not working in your case. As you can see this rule permits all services for routed networks, so there is no need for NAT or additional rules.
Hope this helps.

[Updated on: Fri, 05 June 2009 19:45]

  •  
Northstar

Messages: 10
Karma: 0
Send a private message to this user
Attached is a snap of the Interfaces.

  • Attachment: int.jpg
    (Size: 64.85KB, Downloaded 783 times)
  •  
mwalky

Messages: 13
Karma: 0
Send a private message to this user
I think interfaces belong to right groups and common conditions for routing between VPN client and local network 192.168.1.* are met. From debug.log
Northstar wrote on Fri, 05 June 2009 18:32

No difference. I have noticed that I can't ping the telnet server (192.168.1.30) but I can ping all the other local network machines. The local machines can ping and telnet the server (192.168.1.30)
Debug log
[05/Jun/2009 12:15:57] {pktdrop} packet dropped: TCP sequence/acknowledge numbers out of window (from VPN client Admin, proto:TCP, len:52, ip/port:172.26.203.2:65521 -> 192.168.1.30:23, flags: SYN , seq:2891969900 ack:0, win:8192, tcplen:0)
[05/Jun/2009 12:16:00] {pktdrop} packet dropped: TCP sequence/acknowledge numbers out of window (from VPN client Admin, proto:TCP, len:52, ip/port:172.26.203.2:65521 -> 192.168.1.30:23, flags: SYN , seq:2891969900 ack:0, win:8192, tcplen:0)
//skipped meaningless


it seems to be very confusing why Kerio firewall drops packets from 172.26.203.2 (your VPN address) to 192.168.1.30. I have never seen such debug.log entries before. I prefer filter.log. Just guessing, may be you are working from 192.168.2.* network and your default gateway is Kerio firewall second NIC? Or you have pre-established route to 192.168.1.*, or VPN client cant build routing table right. Anyway, please, show result of "route print" command before and after connection on your client machine. You should erase real ip addresses if any.
Btw, set custom route for VPN clients in your VPN Server, eg. 192.168.1.0/255.255.255.0

[Updated on: Fri, 05 June 2009 21:09]

  •  
Northstar

Messages: 10
Karma: 0
Send a private message to this user
Here are route prints from the vpn client before and after connection.

Not sure what you meant by: "Btw, set custom route for VPN clients in your VPN Server, eg. 192.168.1.0/255.255.255.0"
Could you explain that.

Before VPN client Connect

============================================================ ===============
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 13 d4 20 6b 49 ...... Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller - Packet Sch
eduler Miniport
0x10004 ...44 45 53 54 4e f0 ...... Kerio VPN adapter
============================================================ ===============
============================================================ ===============
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
16#.##.0.0 255.255.0.0 192.168.10.100 192.168.10.100 20
16#.##.36.0 255.255.255.0 16#.##.36.231 16#.##.36.231 20
16#.##.36.231 255.255.255.255 127.0.0.1 127.0.0.1 20
16#.##.255.255 255.255.255.255 16#.##.36.231 16#.##.36.231 20
192.168.10.0 255.255.255.0 192.168.10.100 192.168.10.100 20
192.168.10.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.100 192.168.10.100 20
224.0.0.0 240.0.0.0 16#.##.36.231 16#.##.36.231 20
224.0.0.0 240.0.0.0 192.168.10.100 192.168.10.100 20
255.255.255.255 255.255.255.255 16#.##.36.231 16#.##.36.231 1
255.255.255.255 255.255.255.255 192.168.10.100 192.168.10.100 1
Default Gateway: 192.168.10.1
============================================================ ===============
Persistent Routes:
None


After VPN Connection is established.


============================================================ ===============
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 13 d4 20 6b 49 ...... Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller - Packet Scheduler Miniport
0x10004 ...44 45 53 54 4e f0 ...... Kerio VPN adapter
============================================================ ===============
============================================================ ===============
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.100 20
74.###.163.49 255.255.255.255 192.168.10.1 192.168.10.100 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
16#.##.0.0 255.255.0.0 192.168.10.100 192.168.10.100 20
16#.##.36.0 255.255.255.0 16#.##.36.231 16#.##.36.231 20
16#.##.36.231 255.255.255.255 127.0.0.1 127.0.0.1 20
16#.##.255.255 255.255.255.255 16#.##.36.231 16#.##.36.231 20
172.26.203.0 255.255.255.0 172.26.203.2 16#.##.36.231 20
172.26.203.2 255.255.255.255 127.0.0.1 127.0.0.1 20
172.26.255.255 255.255.255.255 16#.##.36.231 16#.##.36.231 20
192.168.1.0 255.255.255.0 172.26.203.1 16#.##.36.231 1
192.168.10.0 255.255.255.0 192.168.10.100 192.168.10.100 20
192.168.10.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.100 192.168.10.100 20
224.0.0.0 240.0.0.0 16#.##.36.231 16#.##.36.231 20
224.0.0.0 240.0.0.0 192.168.10.100 192.168.10.100 20
255.255.255.255 255.255.255.255 16#.##.36.231 16#.##.36.231 1
255.255.255.255 255.255.255.255 192.168.10.100 192.168.10.100 1
Default Gateway: 192.168.10.1
============================================================ ===============
Persistent Routes:
None
  •  
mwalky

Messages: 13
Karma: 0
Send a private message to this user
It looks like routes are ok. After connection VPN Server gives your client route to 192.168.1.* and there are no any double routes to same network.
Quote:

Not sure what you meant by: "Btw, set custom route for VPN clients in your VPN Server, eg. 192.168.1.0/255.255.255.0"
Could you explain that.

In Kerio VPN Server properties (interfaces in console), tab Advanced, Custom routes you can explicitly set what routes your VPN client will receive after successful connection to VPN Server. By default if there are no routes are set, VPN Server gives to client all routes it knows itself. However everything is ok here.
May be switching off protocol inspector for Local traffic helps.
Sorry, didn't use KWF 6.6.0 myself.
Anyway wait for Kerio support stuff response.
  •  
Northstar

Messages: 10
Karma: 0
Send a private message to this user
I'm thinking a reinstall may be in order.

Thanks for the help.

[Updated on: Mon, 08 June 2009 03:16]

  •  
Jan Jezek (Kerio)

Messages: 103
Karma: 0
Send a private message to this user
Northstar wrote on Fri, 05 June 2009 18:32


No difference. I have noticed that I can't ping the telnet server (192.168.1.30) but I can ping all the other local network machines. The local machines can ping and telnet the server (192.168.1.30)


From this I would guess that the telnet server's default route does not point to the winroute machine. That could be resolved in 3 ways:

1. either change the default route on the telnet server

2. or add a route on the telnet server so 172.26.203.0/255.255.255.0 goes through winroute

3. or add a policy rule in winroute: src=vpn clients, dst=ip of the telnet server, service telnet, enable source NAT with default settings

Jan Jezek
Product Development Manager - Kerio Control
Kerio Technologies
  •  
Northstar

Messages: 10
Karma: 0
Send a private message to this user
I used option #3 and it works.

Thanks for all the help.
Previous Topic: User Quota
Next Topic: Rule : Allow user access only a url set ?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 05:51:04 CET 2017

Total time taken to generate the page: 0.00454 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.