[ale] VPN connections through firewall

Wandered Inn esoteric at denali.atlnet.com
Thu Mar 1 20:45:53 EST 2001


Gary S MacKay wrote:
> 
> Don't know if I've seen the exact doc you mention, but yes, I've
> searched/read everything I can find. I've added ipchains accept and masq
> rules to my firewall script but still no luck. I did not custom compile
> the kernel yet, as I was going on the understanding that RedHat had
> included the patch(s) already. I'm just using the stock 7.0 kernel that
> was installed by default.

check out the following url:

http://linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO-3.html#ss3.4

Here's the actual ipchains they use, but you really want to read this
doc.

# Set the default policy to DENY:
ipchains -P input   DENY
ipchains -P output  DENY
ipchains -P forward DENY
# Allow local-network traffic
ipchains -A input  -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0  -i eth0
ipchains -A output -j ACCEPT -s 0.0.0.0/0  -d 10.0.0.0/8 -i eth0
# Masquerade only VPN traffic between the VPN client and the VPN server
# PPTP
ipchains -A forward -j MASQ   -p tcp -s 10.0.0.2/32  -d 199.0.0.1/32
1723 -i ppp0
ipchains -A output  -j ACCEPT -p tcp -s 200.200.200.0/24  -d
199.0.0.1/32 1723 -i ppp0
ipchains -A input   -j ACCEPT -p tcp -s 199.0.0.1/32 1723 -d
200.200.200.0/24  -i ppp0
ipchains -A forward -j MASQ   -p 47  -s 10.0.0.2/32 -d 199.0.0.1/32 -i
ppp0
ipchains -A output  -j ACCEPT -p 47  -s 200.200.200.0/24 -d
199.0.0.1/32      -i ppp0
ipchains -A input   -j ACCEPT -p 47  -s 199.0.0.1/32 -d
200.200.200.0/24  -i ppp0


This doc will also tell you how to determine if your kernel has the
support for pptp or not:

"To determine whether the running kernel includes VPN Masquerade
support, run the following command: "

     grep -i masq /proc/ksyms

...and look for the following entries: 

     IPsec masquerade: ip_masq_esp and ip_demasq_esp 
     PPTP masquerade: ip_masq_pptp_tcp and ip_demasq_pptp_tcp 

> 
> - Gary
> 
> Wandered Inn wrote:
> >
> > Gary S MacKay wrote:
> > >
> > > I have a Win2K pro machine behine a linux machine running RedHat 7.0
> > > with 2.2.16-22 kernel. I've installed the ip_masq_pptp module also. When
> > > I try to connect to the remote site, it will get to the point of
> > > "Verifing password..." and then timeout. I have verified that the remote
> > > site works by dialing into the internet via modem from the Win box and I
> > > can connect to the VPN just fine.
> >
> > I'm doing much the same, although mine is behind two separate firewall
> > machines. You should have added some ipchains to properly pass the
> > transactions.  There's a really good description in one of the howto's,
> > vpn-howto or vpn-masq-howto, or something like that.
> >
> > Have you seen this doc?
> >
> > >
> > > Problem:
> > > Whenever I try to connect to a Netopia R910 router at a client site, I
> > > get these entries from a tcpdump on my firewall:
> > >
> > > 10:51:00.823238 > myIP > remoteIP: icmp: myIP protocol 47 unreachable
> > > [tos 0xc0]
> > > 10:51:03.463238 > gre-proto-0x880B (gre encap)
> > > 10:51:03.813238 < gre-proto-0x880B (gre encap)
> > > 10:51:03.813238 > myIP > remoteIP: icmp: myIP protocol 47 unreachable
> > > [tos 0xc0]
> > >
> > > It just repeats until the Win box times out with an error that a port
> > > was not connected.
> > >
> > > Question:
> > > What piece of the puzzle am I missing?
> > >
> > > - Gary
> > > --
> > > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
> >
> > --
> > Until later: Geoffrey           esoteric at denali.atlnet.com
> >
> > "Great spirits have always found violent opposition from mediocre minds.
> > The
> > latter cannot understand it when a man does not thoughtlessly submit to
> > hereditary prejudices but honestly and courageously uses his
> > intelligence."
> > - Albert Einstein
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

--
Until later: Geoffrey		esoteric at denali.atlnet.com

"Great spirits have always found violent opposition from mediocre minds.
The
latter cannot understand it when a man does not thoughtlessly submit to
hereditary prejudices but honestly and courageously uses his
intelligence."
- Albert Einstein
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list