Find the answer to your Linux question:
Results 1 to 6 of 6
I have the following setup: VPN SERVER <--> LINUX <--> INTERNET <--> CLIENT VPN SERVER - Windows 2003 - 10.0.0.2 - PPTP protocol - Tested and working from internal network ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2004
    Posts
    23

    VPN + Firewall MASQ problem....


    I have the following setup:

    VPN SERVER <--> LINUX <--> INTERNET <--> CLIENT

    VPN SERVER
    - Windows 2003
    - 10.0.0.2
    - PPTP protocol
    - Tested and working from internal network

    LINUX
    - Fedora Core 1
    - Kernel 2.4.22
    - 10.0.0.1 @ eth1 (Internal network connection)
    - DHCP Cable Internet @ eth0
    - Masquerading tested and working for terminal server connections on the 10.0.0.2

    INTERNET
    - Permanent connection
    - DHCP ip
    - Cable modem @ linux eth0

    CLIENT
    - Windows XP
    - DHCP IP
    - PPTP Protocol
    - Internet tested and working (also connection with internal terminal server)
    - VPN Cient working on internal network

    Port 1723 on the linux firewall is open and routes all trafic to 10.0.0.2 (this also applies for the terminal sever)

    When I try to connect outside my intranet, to my vpn server the following occures:

    First the connection is established, this works... then when the username authentication begins, it goes wrong... this just fails and I can't get any authentication from the vpn server.

    Any ideas what might be wrong ?

    I also tried the iptables "-A PREROUTING -t nat -p gre -i eth0 -j DNAT --to-destination 10.0.0.2" command on my linux box, but that doesn't seem to help a thing.

    Any suggestions ??
    (really desperate)


    TNX in advance...

  2. #2
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    Sounds like you need SNAT, too.

    Code:
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $NET_IP
    Or some variation of that.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  3. #3
    Just Joined!
    Join Date
    Apr 2004
    Posts
    23
    hmz, that doesn't seem to work either.

    any other suggestions ?


    Note: I recompiled the kernel and upgraded to the latest 2.6.5 (compiled iprouting & gre support in the kernel)

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    Can you post the rest of your script? That may help.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  6. #5
    Just Joined!
    Join Date
    Apr 2004
    Posts
    23
    The firewall script is a standard script that I've obtained from the internet
    You can find it overhere:
    http://monmotha.mplug.org/~monmotha/...all-2.3.8-pre9

    The configuration is done for the vpn & terminal server ports 1723 & 3389

    First I run the firewall script and afterwards I add the 2 above lines manually.


    Perhaps it is better to write my own script. But I don't have that much knowledge of IPTABLES.

    The only thing that needs to be done is the following:
    Ports 1723, 3389, 5025, 50021,50022,50080 need to be open from the internet (eth0)
    1723 & 3389 must route all traffic to 10.0.0.2
    5025 routes all incoming traffic (SMTP) to the internet (like a loop)
    50021,50022,50080 are local services on the linux box (FTP, SSH, WWW)
    Drop all igmp ping requests (so host seems to be down)
    route all trafic from the inside network (eth1) that is destinated for the internet to the internet (eth0)
    eth0 receives a ip (changed daily from a dhcp server)


    Greetingz

  7. #6
    Just Joined!
    Join Date
    Apr 2004
    Posts
    23
    I also ran a packet logger and this is the report:

    NOTE: This is the established connection between the vpn server & client inside the local network (the one where it all works)

    http://users.pandora.be/xterminator/report.txt

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •