Project

General

Profile

Issue #3107

FTP file transfer is not working in active mode when VPN connection is established to a linux machine

Added by Sowmya Pola 5 months ago. Updated 4 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.8.0
Resolution:

Description

Hi Team,

When I establish VPN connection(IKEV2) from windows to linux machine and,
file transfer is getting failed from linux to windows using FTP in active mode.
The same is working when file transfer in made is passive mode.

Can you please let me know when VPN connection(IKEV2) is made, does it effect active mode of transfer.

Thanks & Regards,
Sowmya.

History

#1 Updated by Tobias Brunner 5 months ago

  • Status changed from New to Feedback

Does active mode work without VPN? It could just be a firewall issue.

#2 Updated by Sowmya Pola 5 months ago

Tobias Brunner wrote:

Does active mode work without VPN? It could just be a firewall issue.

-- Yes, it is working without VPN. We have checked firewall settings as well but no luck.

#3 Updated by Nunziante Gaito 4 months ago

Sowmya Pola wrote:

Tobias Brunner wrote:

Does active mode work without VPN? It could just be a firewall issue.

-- Yes, it is working without VPN. We have checked firewall settings as well but no luck.

Hi Tobias
could you suggest some firewall setting to use in our scenario?

thanks
Nunzio

#4 Updated by Tobias Brunner 4 months ago

could you suggest some firewall setting to use in our scenario?

No

#5 Updated by Nunziante Gaito 4 months ago

Tobias Brunner wrote:

could you suggest some firewall setting to use in our scenario?

No

Hi Tobias
please, we need your help to understand this problem?
could you suggest something to solve this issue?

Regards
Nunzio

#6 Updated by Tobias Brunner 4 months ago

could you suggest something to solve this issue?

If it's not the firewall, it may be the FTP client that sends the wrong IP address in the PORT command (i.e. not the virtual IP but the physical private IP of the client, which is not reachable by the FTP server).

#7 Updated by Nunziante Gaito 4 months ago

Tobias Brunner wrote:

could you suggest something to solve this issue?

If it's not the firewall, it may be the FTP client that sends the wrong IP address in the PORT command (i.e. not the virtual IP but the physical private IP of the client, which is not reachable by the FTP server).

ok, how can we solve this issue?
we are using this configuration on the linux VPN server
conn ConnWin
type=tunnel
esp=aes256-sha512-modp4096-noesn
lifetime=1h
ikelifetime=1h
keyexchange=ikev2
leftcert=ConnWincert
leftid="CN=141.137.32.46,O=strongSwan,C=IN"
rightid="C=IN,O=strongSwan,CN=141.137.47.230"
left=141.137.32.46
ike=aes256-sha512-modp4096
rightsourceip=141.137.47.230/16
auto=add

/nunzio

#8 Updated by Nunziante Gaito 4 months ago

Nunziante Gaito wrote:

Tobias Brunner wrote:

could you suggest something to solve this issue?

If it's not the firewall, it may be the FTP client that sends the wrong IP address in the PORT command (i.e. not the virtual IP but the physical private IP of the client, which is not reachable by the FTP server).

ok, how can we solve this issue?
we are using this configuration on the linux VPN server
conn ConnWin
type=tunnel
esp=aes256-sha512-modp4096-noesn
lifetime=1h
ikelifetime=1h
keyexchange=ikev2
leftcert=ConnWincert
leftid="CN=141.137.32.46,O=strongSwan,C=IN"
rightid="C=IN,O=strongSwan,CN=141.137.47.230"
left=141.137.32.46
ike=aes256-sha512-modp4096
rightsourceip=141.137.47.230/16
auto=add

/nunzio

Hi Tobias
do you have any suggestion?

/Nunzio

#9 Updated by Noel Kuntze 4 months ago

Nunzio, it is likely as Tobias stated (that the FTP client sends the wrong IP in the PORT command). To confirm or falsify the thesis, you'd need to capture traffic and check what the client and server exchange and where the packets go the server sends for the data transfer. Everything else is just speculation and doesn't help you.

EDIT: Actually, thinking of it, you better check if the Windows firewall permits the data connection from the server to the client or switch to passive mode so you only have to deal with configuring the FTP server correctly and not every client.

#10 Updated by Nunziante Gaito 4 months ago

Noel Kuntze wrote:

Nunzio, it is likely as Tobias stated (that the FTP client sends the wrong IP in the PORT command). To confirm or falsify the thesis, you'd need to capture traffic and check what the client and server exchange and where the packets go the server sends for the data transfer. Everything else is just speculation and doesn't help you.

EDIT: Actually, thinking of it, you better check if the Windows firewall permits the data connection from the server to the client or switch to passive mode so you only have to deal with configuring the FTP server correctly and not every client.

Hi Noel and Tobias

we have solved this issue in two ways:
1. switching FTP to passive mode but it was not applicable to out application
2. setting leftsubnet=0.0.0.0/0.

I've seen that a similar issue was reported at the link:
https://wiki.strongswan.org/issues/467

could you give us any reason why this leftsubnet setting solves the FTP issue due to Acive mode?

thanks
Nunzio

#11 Updated by Noel Kuntze 4 months ago

Hello Nunzio,

we have solved this issue in two ways:
1. switching FTP to passive mode but it was not applicable to out application

How did that solve or change anything if the proposed change (see previous comments on this ticket) was not applicable to your application?

2. setting leftsubnet=0.0.0.0/0.

Well, if you didn't set leftsubnet before and the IP address of the FTP server is not the one of the VPN server, then the traffic was never allowed to go through the VPN server in the first place. Using leftsubnet=0.0.0.0/0 allowed the traffic to pass. I assume the FTP connection between the FTP client and FTP server did not go through the VPN first but the PORT command gave out a private IP address that could only be reached through a VPN. When you allowed the traffic through, the connection could be established.

That's speculation though, because you gave us no traffic dumps or similiar to back that theory up.

Also available in: Atom PDF