Hi All, Just joined the list to try and solve a problem. To show that I''ve read the rules I''ll start with the requested info os linux kernel-2.4.27 with latest netfilter pom for gre and pptp conntrack etc iptables is 1.3.0 - downloaded and compiled with the pom stuff and the 2.4.27 kernel shorewall version shorewall-2.2.1-2 from rpm ip addr show [root@squid3 root]# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:04:ac:16:29:b8 brd ff:ff:ff:ff:ff:ff inet 172.20.1.1/24 brd 172.20.1.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:40:05:a4:27:f1 brd ff:ff:ff:ff:ff:ff inet 196.25.62.97/30 brd 196.25.62.99 scope global eth1 4: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 5: gre0@NONE: <NOARP> mtu 1476 qdisc noop link/gre 0.0.0.0 brd 0.0.0.0 ip route show [root@squid3 root]# ip route show 196.25.62.96/30 dev eth1 scope link 172.20.4.0/24 via 172.20.1.3 dev eth0 192.168.2.0/24 via 172.20.1.3 dev eth0 172.20.1.0/24 dev eth0 scope link 172.19.9.0/24 via 172.20.1.252 dev eth0 10.1.130.0/24 via 172.20.1.252 dev eth0 10.1.131.0/24 via 172.20.1.252 dev eth0 10.1.132.0/24 via 172.20.1.252 dev eth0 192.168.252.0/24 via 172.20.1.252 dev eth0 172.21.2.0/24 via 172.20.1.252 dev eth0 172.17.1.0/24 via 172.20.1.252 dev eth0 198.54.229.0/24 via 172.20.1.252 dev eth0 10.2.0.0/16 via 172.20.1.252 dev eth0 10.3.0.0/16 via 172.20.1.252 dev eth0 10.1.0.0/16 via 172.20.1.252 dev eth0 172.30.0.0/16 via 172.20.1.252 dev eth0 10.4.0.0/16 via 172.20.1.252 dev eth0 10.10.0.0/16 via 172.20.1.252 dev eth0 169.254.0.0/16 dev eth1 scope link 192.168.0.0/16 via 172.20.1.252 dev eth0 127.0.0.0/8 dev lo scope link default via 196.25.62.98 dev eth1 [root@squid3 root]# Attached is the output of shorewall status as well as the /etc/shorewall files I modd''ed. Okay here''s the plot! The server runs as a simple firewall and squid proxy server for our country wide users and a few customers hence the largish route table. Squid take care of the http traffic and masq take care of the rest. I then needed to allow up to 6 users to connect to a Cisco router at SSA/Baan in the USA. With the original config without the upgrade to iptables 1.3.0 and the pom stuff I could only make a single connection at a time! Please bear in mind that the clients are inside the loc zone and the server is out on the wild internet. I then dug around and did some googling to find what i needed to do. Netfilter, monmotha and shorewall pointed me to the need of tracking gre and pptp connections which is logical I guess! Popped over to the netfilter ftp site and downloaded 1.3.0 plus the latest pom. I had already upgraded the kernel to 2.4.27 so I just went ahead and used the pom tool to patch the kernel and the iptables source. I ran make menuconfig and built all the conntrack stuff together with the rest of netfilter into the kernel, compiled and installed iptables 1.3.0. Rebooted to the new kernel, corrected the IPTABLES line in shorewall.conf to point to the correct one and asked the users to try! Result? Just the same! One connection at a time to the remote ip! I tried buildin the kernel with the conntrack stuff as modules and still no joy :-( I know the Cisco box we connect to supports multiple connections to its ip address as most of our staff who use the vpn service have dialup facilities on their workstations and happily dial an ISP and bring up the VPN! Even tried to use our dreaded isa thing but ''it'' only supports a single connection to an ip address at a time. Multiple vpns to different remote ip''s works like a wiz! To a single one? Naadaa!! I have managment now breathing down my neck so please help! Cheers Ang -- Angela Williams Enterprise Outsourcing All Unix/Linux & Cisco spoken here! Bedfordview awilliams@eoh.co.za Gauteng South Africa Smile!! Jesus Loves You!!
Angela Williams wrote:> This body part will be downloaded on demand.Apparently, the message body was not delivered to the list (only your attachments arrived here). Please re-send the problem description only. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Angela Williams wrote: > >>This body part will be downloaded on demand. > > > Apparently, the message body was not delivered to the list (only your > attachments arrived here). > > Please re-send the problem description only.Never mind -- It was apparently my mailer that was confused (or possibly, just me :-) ) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Angela Williams wrote:> > > Multiple vpns to different remote ip''s works like a wiz! To a single one? > Naadaa!! > > I have managment now breathing down my neck so please help! >Unfortunately, I don''t see anything that you''ve done wrong. The four pptp conntrack/nat modules are loaded and there is nothing that you can do in your Shorewall config that will have any effect on this problem. When you have a single VPN connection working, what does the output of "shorewall show connections" look like? What about if you try a second connection -- how does that output change? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 23 March 2005 18:27, Tom Eastep wrote:> Angela Williams wrote: > > Multiple vpns to different remote ip''s works like a wiz! To a single one? > > Naadaa!! > > > > I have managment now breathing down my neck so please help! > > Unfortunately, I don''t see anything that you''ve done wrong. The four > pptp conntrack/nat modules are loaded and there is nothing that you can > do in your Shorewall config that will have any effect on this problem. > > When you have a single VPN connection working, what does the output of > "shorewall show connections" look like? > > What about if you try a second connection -- how does that output change?I''ll let you know in the morning my time! Ang -- Angela Williams Enterprise Outsourcing SCO Unix/Linux & Cisco spoken here! Bedfordview awilliams@eoh.co.za Gauteng South Africa Smile!! Jesus Loves You!!
Angela Williams wrote:> I know the Cisco box we connect to supports multiple connections to its ip > address as most of our staff who use the vpn service have dialup facilities > on their workstations and happily dial an ISP and bring up the VPN!Do you know for certain that the Cisco supports multiple connections *from the same IP address*? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote on 23/03/2005 14:38:27:> Angela Williams wrote: > > > I know the Cisco box we connect to supports multiple connections toits ip> > address as most of our staff who use the vpn service have dialupfacilities> > on their workstations and happily dial an ISP and bring up the VPN! > > Do you know for certain that the Cisco supports multiple connections > *from the same IP address*? > > -Tom > --I think the problem here is that the other part probably doesn''t use the conntrack-pptp modules. For him, they are all part of a unique PPTP connection. If you have a number of Public IPs available, you could use one by one nat scheme. But public IPs are a not a cheap commodity nowadays... ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
Eduardo Ferreira wrote:> > I think the problem here is that the other part probably doesn''t use the > conntrack-pptp modules.The other end is a Cisco. Angela has the conntrack-pptp modules loaded correctly on her end.> For him, they are all part of a unique PPTP > connection. If you have a number of Public IPs available, you could use > one by one nat scheme. But public IPs are a not a cheap commodity > nowadays... >Angela''s firewall has only a single external IP address currently. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote on 23/03/2005 16:36:21:> Eduardo Ferreira wrote: > > > > > I think the problem here is that the other part probably doesn''t usethe> > conntrack-pptp modules. > > The other end is a Cisco. Angela has the conntrack-pptp modules loaded > correctly on her end. > > > For him, they are all part of a unique PPTP > > connection. If you have a number of Public IPs available, you coulduse> > one by one nat scheme. But public IPs are a not a cheap commodity > > nowadays... > > > > Angela''s firewall has only a single external IP address currently. > > -Tom > --Ok, repeat with me: "read all messages in a thread before answering" ;-) /sorry
Hi All! On Wednesday 23 March 2005 21:45, Eduardo Ferreira wrote:> Tom Eastep wrote on 23/03/2005 16:36:21: > > Eduardo Ferreira wrote: > > > I think the problem here is that the other part probably doesn''t use > > the > > > > conntrack-pptp modules. > > > > The other end is a Cisco. Angela has the conntrack-pptp modules loaded > > correctly on her end. > > > > > For him, they are all part of a unique PPTP > > > connection. If you have a number of Public IPs available, you could > use > > > > one by one nat scheme. But public IPs are a not a cheap commodity > > > nowadays...That would have solved the problem! Just had an email back from EXE and they say one ip - one connection!> > Angela''s firewall has only a single external IP address currently.I had made it clear to EXE that we would be making multiple connections from a single ip but I guess they missed it! We will now try with the Cisco VPN Client. I could ofcourse hack my riuting on my internal routers to point to my firewall that was a whole class c subnet but that would meen kernel, iptables + pom upgrades on a very heavily used box. If it works I tend to leave it alone! Thanks tons for your help! Cheers Ang -- Angela Williams Enterprise Outsourcing SCO Unix/Linux & Cisco spoken here! Bedfordview awilliams@eoh.co.za Gauteng South Africa Smile!! Jesus Loves You!!
Possibly Parallel Threads
- Samba3 by example problems
- [Bug 40] system hangs, Availability problems, maybe conntrack bug, possible reason here.
- pptp vpn through CentOS 4.3.
- Help with: "Cannot copy Filename: The specified network name is no longer available" error
- Quick Question on [UNREPLIED] in the state tables