CIS 5.10.228.257.2253 - allow PPTP VPN

ciki022 · December 7, 2012, 9:26am

Hi,

I am using CIS 5.10.228.257.2253 and having problems to allow PPTP VPN access.
I have enabled svchost.exe on destination port 1723 in Firewall-Network Security Policy-Aplication Rules, screenshot follows

Also I have Global Rule on destination port 1723, screenshot fallows

But , that not helped, when I disable firewall, PPTP VPN connection is possible, with firewal on is not

What should I do next ?

[attachment deleted by admin]

claudiub · December 7, 2012, 9:44am

Hi,

The default rules (in my situation) were enough to allow PPTPVPN (Win7 64bit)

svghost.exe is part of system and ,by default, is allowed.

Citizen_K · December 11, 2012, 1:02am

Can you change the block rule in Global Rules to block and log? That might give some extra information on what is going on. Can please post a screenshot of the Firewall Events after changing this setting and try to enabled the pptp VPN connection.

Also make sure to disable Block Fragmented IP datagrams to see if that plays a roll here.

ciki022 · December 14, 2012, 10:04am

I changed the block rule in Global Rule to block and log, as expected everything is blocked, even my PPTP VPN connection that is going to destination IP 192.168.1.100, port 1723.

2012-12-14 10:41:06 Windows Operating System Blocked In TCP 79.101.149.67 29272 192.168.1.100 1723
2012-12-14 10:41:32 Windows Operating System Blocked In TCP 79.101.149.67 29285 192.168.1.100 1723
2012-12-14 10:41:35 Windows Operating System Blocked In TCP 79.101.149.67 29285 192.168.1.100 1723

Compelte log in attachment

Block Fragmented IP datagrams is already disabled

What to do next, except disabling firewall and reinstaling CIS ?

[attachment deleted by admin]

Citizen_K · December 15, 2012, 1:35am

Thank you for the provided information. I checked the firewall log and noticed that DNS traffic (Outgoing on UDP 53) get blocked.

The logs tell that Windows Operating System (WOS) blocked this traffic. That means that CIS cannot see the source of this traffic. This is usually caused by a driver “blocking the view”.

As for the solution. Make a rule for WOS to allow outgoing traffic from any address on any port to UDP 53 on any address. See if that brings a solution or not. If that does not help add the same rule to the rule for svchost.exe.

When the problems are not solved please post another Firewall log file.

ailef · December 15, 2012, 2:25am

I just tried to connect using PPTP and i can’t connect, i can’t tell why.
it works fine with openVPN or L2TP.
the firewall is asking me to allow the server ip on port 1723 then on port 47 (GRE), then i got a message error unable to open the port. ???

ciki022 · December 15, 2012, 10:51am

“I checked the firewall log and noticed that DNS traffic (Outgoing on UDP 53) get blocked.”

Yes, is blocked but only when Global Block Rule is on, normaly is not.
Anyway, I created WOS rule as You suggested, nothing changed, also tried same thing with svchost.exe, doesnt working.

I saw something interesting in firewall log, when I tried, several times, to establish PPTP VPN connection, log in firewall says next

2012-12-15 11:32:13 System Allowed In TCP 79.101.149.67 27975 192.168.1.100 1723
2012-12-15 11:33:51 System Allowed In TCP 79.101.149.67 27980 192.168.1.100 1723
2012-12-15 11:35:29 System Allowed In TCP 79.101.149.67 27984 192.168.1.100 1723
2012-12-15 11:36:51 System Allowed In TCP 79.101.149.67 27992 192.168.1.100 1723
2012-12-15 11:39:11 System Allowed In TCP 79.101.149.67 28002 192.168.1.100 1723

that means that port 1723 is allowed, and nothing is stoping PPTP VPN conection to establish, right ?

I also tried to change TCP to TCP/UDP in this Global Rule, but doesn make any changes.

Give me some other ideas

Can I export CIS settings from another computer who is allowing PPTP VPN connections, and import it in this problematic one ?

Citizen_K · December 16, 2012, 4:29pm

Please try updating to 5.12:

On what OS is the problem happening with you?

Exporting a configuration to another computer cannot be done easily. Of course the OS needs to be the same and programs need to be installed in the same place.

However there is more to it. All rules as they are stored in the registry or exported to a cfgx file will have a User ID (UID) string that you will have to edit before importing a configuration in another computer.

ciki022 · December 17, 2012, 12:50pm

OS is XP Pro SP2

I have one question regarding Firewall Training Mode
If I enable this mode, Firewall should ask me what to do with every action, right, or not ?
In my case, firewall doesn asking anything
Is that normal ?

Citizen_K · December 17, 2012, 4:13pm

In training mode it won’t ask anything. It will learn all the rules for applications active without alerting the user.

Only use training mode for short periods of time because it will make rules for everything. Only run training mode when you know your system is clean.

ciki022 · December 20, 2012, 10:42am

Do You have more ideas what to do with my problem ?

ciki022 · January 17, 2013, 12:05pm

I am still waiting for Your further suggestions

Radaghast · January 17, 2013, 12:11pm

You don’t appear to have an outbound rule for your PPTP connection or a rule for GRE. Also, are your using L2TP/IPSec for encryption/authentication?

ciki022 · January 17, 2013, 12:22pm

What do You mean outbound rule or a GRE rule ?
That computer receives PPTP connection, probably You ment inbond rule, that I have, see screenshots
I am not using L2TP/IPSec, just plain PPTP

Radaghast · January 18, 2013, 4:08am

For a VPN under Windows, you’ll need to create main VPN rules for the ‘System’ process not svchost. At the very least you’ll need an inbound rule for PPTP:

Application Name - System
Action - allow
Protocol - TCP
Direction - In
Source Address - What ever is appropriate
Destination Address - ANY or the MAC address of the host
Source Port - ANY or you could use a range and specify dynamic ports (49152 - 65535)
Destination Port - 1723

And an outbound rule for GRE

Application Name - System
Action - allow
Protocol - IP
Direction - Out
Source Address - ANY or the MAC address of the host
Destination Address - What ever is appropriate
IP Details - Protocol 47 (GRE)

In addition, you may need rules for NetBIOS, Network Discovery and any media needs.

ciki022 · January 18, 2013, 7:27am

I tried to create inbound rule for System, like You said, but I get message that rule already exists, same message for the outbound rule for GRE
I also moved rule for system to the top
But, I dont see those rules in settings, screenshot is attached
What should I change next, something to delete and make new rules or what ?

[attachment deleted by admin]

Radaghast · January 18, 2013, 8:16am

I’d remove the rules you have for the ‘System’ process and use the basic rules in the image below. Remember, you’ll also need to make sure you’re not blocking inbound TCP connections to port 1723. One other thing, if you’re using the DHCP function of the VPN server, make sure svchost has appropriate rules.

[attachment deleted by admin]

ciki022 · January 18, 2013, 9:59am

I removed rules for System, as You said, and added rule 1 from Your attached image
But, I can not add second rule from Your image, I get message that Rule Already Exists, but there is not rule like that
I tried to add second rule to Global Rules, but didnt helped, can not connect
How to add second rule to App Rules ?

Radaghast · January 18, 2013, 10:36am

There are two individual rules but both are applied to only one instance of the System process. If you try to add a rule for a separate instance Of a process you will get the message you’re seeing. Just right click on the entry for System, select Edit and add your rules.

[attachment deleted by admin]