PPTP/GRE pass-through PF Firewall

[Larry Tous]

Hello,

I have installed OpenBSD 4.7 and configured PF as a firewall and NAT.
 Currently the NAT and Firewall are working, but Im struggling trying to
get the Microsoft VPN (PPTP) to pass-through the firewall.
Here is my pf.conf and the logs:
#       $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if = "em0"
int_if = "em1"
wan_ip = "1.1.1.1"
vpn = "192.168.1.10"
localnet = $int_if:network

tcp_services = "{ ssh, smtp, domain, www, https, pop3, auth, pop3s }"
auth_services = "{ www, https, ssh }"
udp_services = "{ domain, ntp }"

# dont filter on the loopback
set skip on lo

# scrub incoming packets
match in all scrub (no-df)

# nat
match out on $ext_if from $localnet nat-to ($ext_if)


# Rule set
## Block by default
block log all

## pass our nat traffic
pass log inet proto tcp from { lo0, $int_if:network } to any port
$auth_services
pass out log on $ext_if proto tcp from any to port $auth_services
pass out log on $ext_if proto udp from any to port $udp_services

pass in log on $int_if proto udp from any to port $udp_services
pass in log on $int_if proto tcp from any to any port 22


## Microsoft VPN
pass in log on $ext_if proto tcp from any to any port 1723 \
   rdr-to $vpn
pass in log on $ext_if proto udp from any to any port 500 \
   rdr-to $vpn

pass in log on $ext_if inet proto tcp from any to any port 443 keep state
pass in log on $ext_if proto gre from any to any keep state
pass in log on $int_if inet proto tcp from any to any port = 1723 flags S/SA
keep state

pass out log inet proto gre all keep state
pass out log on $int_if proto tcp from any to $vpn port 1723
pass out log on $int_if proto udp from any to $vpn port 500


### tcpdump -nettt -i pflog0
# 120.120.120.120 = client ip address
# 1.1.1.1 = vpn external ip address
# 192.168.1.10 = vpn server address


Jun 01 20:57:54.513340 rule 17/(match) pass in on em0: 120.120.120.120.61852
> 1.1.1.1.1723: S 2646936410:2646936410(0) win 8192 <mss 1452,nop,wscale
2,nop,nop,sackOK> (DF)
Jun 01 20:57:54.513366 rule 19/(match) pass out on em1:
120.120.120.120.61852 > 192.168.1.10.1723: S 2646936410:2646936410(0) win
8192 <mss 1452,nop,wscale 2,nop,nop,sackOK>
Jun 01 20:58:15.829754 rule 18/(match) pass in on em0: 120.120.120.120.500 >
1.1.1.1.500: isakmp v2.0 exchange 34 (unknown)
        cookie: 2b8d652f987a85e7->0000000000000000 msgid: 00000000 [|isakmp]
Jun 01 20:58:15.829779 rule 20/(match) pass out on em1: 120.120.120.120.500
> 192.168.1.10.500: isakmp v2.0 exchange 34 (unknown)
        cookie: 2b8d652f987a85e7->0000000000000000 msgid: 00000000 [|isakmp]
Jun 01 20:58:23.000449 rule 22/(match) pass in on em0: 120.120.120.120.61859
> 1.1.1.1.443: S 2167692171:2167692171(0) win 8192 <mss 1452,nop,wscale
2,nop,nop,sackOK> (DF)
Jun 01 20:58:23.569367 rule 22/(match) pass in on em0: 120.120.120.120.61860
> 1.1.1.1.443: S 2167692171:2167692171(0) win 8192 <mss 1452,nop,wscale
2,nop,nop,sackOK> (DF)
Jun 01 20:58:24.144319 rule 22/(match) pass in on em0: 120.120.120.120.61861
> 1.1.1.1.443: S 2167692171:2167692171(0) win 8192 <mss 1452,nop,nop,sackOK>
(DF)

But it the client still fails to authenticate.

The Microsoft VPN is a Windows 2003 Server.

Googling the subject Ive seen very old post stating that I need to remove
GRE from the kernel is this still the case? Or am I just missing something
in my rules set.

Currently GRE is enable:
# sysctl -w | grep gre
net.inet.gre.allow=1
net.inet.gre.wccp=1

Thanks in advance for the help