Shorewall users - Feb 2002 - off the list topic (POPTOP pptp server)

--=-v5mrCvFAZ4MZ/DdQHUxf
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi all,

I am trying to setup a pptp server as per instructions in pptp
documentation by TOM.

Firewall is allowing packets but I am getting following message:

Feb  5 14:26:00 gateway pptpd[32058]: CTRL: Client <ipaddress> control
connection started
Feb  5 14:26:00 gateway pptpd[32058]: CTRL: Starting call (launching
pppd, opening GRE)
Feb  5 14:26:00 gateway pppd[32059]: pppd 2.4.1 started by root, uid 0
Feb  5 14:26:00 gateway pppd[32059]: Connect:  <--> /dev/pts/1
Feb  5 14:26:01 gateway pptpd[32058]: GRE: read error: Protocol not
available
Feb  5 14:26:01 gateway pptpd[32058]: CTRL: PTY read or GRE write failed
(pty,gre)=(4,5)
Feb  5 14:26:01 gateway pptpd[32058]: CTRL: Client <ipaddress> control
connection finished
Feb  5 14:26:01 gateway pppd[32059]: Modem hangup
Feb  5 14:26:01 gateway pppd[32059]: Connection terminated.
Feb  5 14:26:01 gateway pppd[32059]: Exit.


I compiled everything as instructed in the documentation. I did loaded
the ip_gre module but it didn''t work out.

I am using RH 7.2 Kernel 2.4.9-21
IP Tables 1.2.4-2
Shorewall 1.2-5 with two-interface.tgz (sample)
poptop 1.1.2
ppp 2.4.1

Please help if u have any idea where I can the support for GRE Protcol

Yogesh

PS: Attaching .config for kernel compile.
DO I have to added tunnel in /etc/shorewall/tunnels ?



--=-v5mrCvFAZ4MZ/DdQHUxf
Content-Disposition: inline; filename=.config
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=ISO-8859-1

#
# Automatically generated make config: don''t edit
#
CONFIG_X86=3Dy
CONFIG_ISA=3Dy
# CONFIG_SBUS is not set
CONFIG_UID16=3Dy

#
# Code maturity level options
#
CONFIG_EXPERIMENTAL=3Dy

#
# Loadable module support
#
CONFIG_MODULES=3Dy
CONFIG_MODVERSIONS=3Dy
CONFIG_KMOD=3Dy

#
# Processor type and features
#
# CONFIG_M386 is not set
# CONFIG_M486 is not set
# CONFIG_M586 is not set
# CONFIG_M586TSC is not set
# CONFIG_M586MMX is not set
# CONFIG_M686 is not set
CONFIG_MPENTIUMIII=3Dy
# CONFIG_MPENTIUM4 is not set
# CONFIG_MK6 is not set
# CONFIG_MK7 is not set
# CONFIG_MCRUSOE is not set
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP2 is not set
# CONFIG_MWINCHIP3D is not set
# CONFIG_MCYRIXIII is not set
CONFIG_X86_WP_WORKS_OK=3Dy
CONFIG_X86_INVLPG=3Dy
CONFIG_X86_CMPXCHG=3Dy
CONFIG_X86_XADD=3Dy
CONFIG_X86_BSWAP=3Dy
CONFIG_X86_POPAD_OK=3Dy
# CONFIG_RWSEM_GENERIC_SPINLOCK is not set
CONFIG_RWSEM_XCHGADD_ALGORITHM=3Dy
CONFIG_X86_L1_CACHE_SHIFT=3D5
CONFIG_X86_TSC=3Dy
CONFIG_X86_GOOD_APIC=3Dy
CONFIG_X86_PGE=3Dy
CONFIG_X86_USE_PPRO_CHECKSUM=3Dy
# CONFIG_TOSHIBA is not set
# CONFIG_MICROCODE is not set
# CONFIG_X86_MSR is not set
# CONFIG_X86_CPUID is not set
# CONFIG_E820_PROC is not set
CONFIG_NOHIGHMEM=3Dy
# CONFIG_HIGHMEM4G is not set
# CONFIG_HIGHMEM64G is not set
# CONFIG_1GB is not set
# CONFIG_2GB is not set
CONFIG_3GB=3Dy
# CONFIG_MATH_EMULATION is not set
CONFIG_MTRR=3Dy
# CONFIG_SMP is not set
CONFIG_X86_UP_APIC=3Dy
CONFIG_X86_UP_IOAPIC=3Dy
CONFIG_X86_LOCAL_APIC=3Dy
CONFIG_X86_IO_APIC=3Dy
# CONFIG_MXT is not set

#
# General setup
#
CONFIG_NET=3Dy
CONFIG_PCI=3Dy
# CONFIG_PCI_GOBIOS is not set
# CONFIG_PCI_GODIRECT is not set
CONFIG_PCI_GOANY=3Dy
CONFIG_PCI_BIOS=3Dy
CONFIG_PCI_DIRECT=3Dy
CONFIG_PCI_NAMES=3Dy
# CONFIG_EISA is not set
# CONFIG_MCA is not set
CONFIG_HOTPLUG=3Dy

#
# PCMCIA/CardBus support
#
# CONFIG_PCMCIA is not set

#
# PCI Hotplug Support
#
# CONFIG_HOTPLUG_PCI is not set
CONFIG_SYSVIPC=3Dy
# CONFIG_BSD_PROCESS_ACCT is not set
CONFIG_SYSCTL=3Dy
CONFIG_KCORE_ELF=3Dy
# CONFIG_KCORE_AOUT is not set
CONFIG_BINFMT_AOUT=3Dm
CONFIG_BINFMT_ELF=3Dy
CONFIG_BINFMT_MISC=3Dm
CONFIG_PM=3Dy
# CONFIG_ACPI is not set
# CONFIG_APM is not set

#
# Binary emulation of other systems
#
# CONFIG_ABI is not set
# CONFIG_ABI_CXENIX is not set

#
# Support for foreign binary formats
#

#
# Linux-ABI debugging settings
#

#
# Memory Technology Devices (MTD)
#
# CONFIG_MTD is not set

#
# Parallel port support
#
# CONFIG_PARPORT is not set

#
# Plug and Play configuration
#
CONFIG_PNP=3Dy
CONFIG_ISAPNP=3Dy
# CONFIG_PNPBIOS is not set

#
# Block devices
#
CONFIG_BLK_DEV_FD=3Dy
# CONFIG_BLK_DEV_XD is not set
# CONFIG_BLK_CPQ_DA is not set
# CONFIG_BLK_CPQ_CISS_DA is not set
# CONFIG_BLK_DEV_DAC960 is not set
CONFIG_BLK_DEV_LOOP=3Dm
CONFIG_BLK_DEV_NBD=3Dm
# CONFIG_BLK_DEV_RAM is not set

#
# Multi-device support (RAID and LVM)
#
CONFIG_MD=3Dy
CONFIG_BLK_DEV_MD=3Dm
CONFIG_MD_LINEAR=3Dm
CONFIG_MD_RAID0=3Dm
CONFIG_MD_RAID1=3Dm
CONFIG_MD_RAID5=3Dm
CONFIG_MD_MULTIPATH=3Dm
CONFIG_BLK_DEV_LVM=3Dm

#
# Networking options
#
CONFIG_PACKET=3Dy
# CONFIG_PACKET_MMAP is not set
CONFIG_NETLINK=3Dy
CONFIG_RTNETLINK=3Dy
# CONFIG_NETLINK_DEV is not set
CONFIG_NETFILTER=3Dy
CONFIG_NETFILTER_DEBUG=3Dy
CONFIG_FILTER=3Dy
CONFIG_UNIX=3Dy
CONFIG_INET=3Dy
# CONFIG_TUX is not set
CONFIG_IP_MULTICAST=3Dy
CONFIG_IP_ADVANCED_ROUTER=3Dy
CONFIG_RTNETLINK=3Dy
CONFIG_NETLINK=3Dy
CONFIG_IP_MULTIPLE_TABLES=3Dy
CONFIG_IP_ROUTE_FWMARK=3Dy
CONFIG_IP_ROUTE_NAT=3Dy
CONFIG_IP_ROUTE_MULTIPATH=3Dy
CONFIG_IP_ROUTE_TOS=3Dy
CONFIG_IP_ROUTE_VERBOSE=3Dy
# CONFIG_IP_ROUTE_LARGE_TABLES is not set
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=3Dm
CONFIG_NET_IPGRE=3Dm
# CONFIG_NET_IPGRE_BROADCAST is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
CONFIG_INET_ECN=3Dy
CONFIG_SYN_COOKIES=3Dy

#
#   IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=3Dy
CONFIG_IP_NF_FTP=3Dm
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=3Dy
CONFIG_IP_NF_MATCH_LIMIT=3Dy
# CONFIG_IP_NF_MATCH_MAC is not set
CONFIG_IP_NF_MATCH_MARK=3Dy
CONFIG_IP_NF_MATCH_MULTIPORT=3Dy
CONFIG_IP_NF_MATCH_TOS=3Dy
CONFIG_IP_NF_MATCH_TCPMSS=3Dy
CONFIG_IP_NF_MATCH_STATE=3Dy
CONFIG_IP_NF_MATCH_UNCLEAN=3Dy
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=3Dy
CONFIG_IP_NF_TARGET_REJECT=3Dy
# CONFIG_IP_NF_TARGET_MIRROR is not set
CONFIG_IP_NF_NAT=3Dy
CONFIG_IP_NF_NAT_NEEDED=3Dy
CONFIG_IP_NF_TARGET_MASQUERADE=3Dy
CONFIG_IP_NF_TARGET_REDIRECT=3Dy
CONFIG_IP_NF_NAT_FTP=3Dm
CONFIG_IP_NF_MANGLE=3Dy
CONFIG_IP_NF_TARGET_TOS=3Dy
CONFIG_IP_NF_TARGET_MARK=3Dy
CONFIG_IP_NF_TARGET_LOG=3Dy
CONFIG_IP_NF_TARGET_TCPMSS=3Dy

#
#   IP: Virtual Server Configuration
#
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
# CONFIG_KHTTPD is not set
# CONFIG_ATM is not set

#
# =20
#
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
# CONFIG_DECNET is not set
# CONFIG_BRIDGE is not set
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_LLC is not set
# CONFIG_NET_DIVERT is not set
# CONFIG_ECONET is not set
# CONFIG_WAN_ROUTER is not set
# CONFIG_NET_FASTROUTE is not set
# CONFIG_NET_HW_FLOWCONTROL is not set

#
# QoS and/or fair queueing
#
# CONFIG_NET_SCHED is not set

#
# Telephony Support
#
# CONFIG_PHONE is not set

#
# ATA/IDE/MFM/RLL support
#
CONFIG_IDE=3Dy

#
# IDE, ATA and ATAPI Block devices
#
CONFIG_BLK_DEV_IDE=3Dy

#
# Please see Documentation/ide.txt for help/info on IDE drives
#
# CONFIG_BLK_DEV_HD_IDE is not set
# CONFIG_BLK_DEV_HD is not set
CONFIG_BLK_DEV_IDEDISK=3Dy
CONFIG_IDEDISK_MULTI_MODE=3Dy
# CONFIG_BLK_DEV_IDEDISK_VENDOR is not set
# CONFIG_BLK_DEV_COMMERIAL is not set
CONFIG_BLK_DEV_IDECD=3Dy
# CONFIG_BLK_DEV_IDETAPE is not set
# CONFIG_BLK_DEV_IDEFLOPPY is not set

#
# IDE chipset support/bugfixes
#
CONFIG_BLK_DEV_CMD640=3Dy
# CONFIG_BLK_DEV_CMD640_ENHANCED is not set
# CONFIG_BLK_DEV_ISAPNP is not set
CONFIG_BLK_DEV_RZ1000=3Dy
CONFIG_BLK_DEV_IDEPCI=3Dy
CONFIG_IDEPCI_SHARE_IRQ=3Dy
CONFIG_BLK_DEV_IDEDMA_PCI=3Dy
CONFIG_BLK_DEV_ADMA=3Dy
# CONFIG_BLK_DEV_OFFBOARD is not set
CONFIG_IDEDMA_PCI_AUTO=3Dy
# CONFIG_IDEDMA_ONLYDISK is not set
CONFIG_BLK_DEV_IDEDMA=3Dy
# CONFIG_IDEDMA_PCI_WIP is not set
# CONFIG_BLK_DEV_AEC62XX is not set
# CONFIG_BLK_DEV_ALI15X3 is not set
# CONFIG_BLK_DEV_AMD74XX is not set
# CONFIG_BLK_DEV_CMD64X is not set
# CONFIG_BLK_DEV_CY82C693 is not set
# CONFIG_BLK_DEV_CS5530 is not set
# CONFIG_BLK_DEV_HPT34X is not set
# CONFIG_BLK_DEV_HPT366 is not set
CONFIG_BLK_DEV_PIIX=3Dy
CONFIG_PIIX_TUNING=3Dy
# CONFIG_BLK_DEV_NS87415 is not set
# CONFIG_BLK_DEV_OPTI621 is not set
# CONFIG_BLK_DEV_PDC202XX is not set
# CONFIG_BLK_DEV_SVWKS is not set
# CONFIG_BLK_DEV_SIS5513 is not set
# CONFIG_BLK_DEV_SLC90E66 is not set
# CONFIG_BLK_DEV_TRM290 is not set
# CONFIG_BLK_DEV_VIA82CXXX is not set
# CONFIG_IDE_CHIPSETS is not set
CONFIG_IDEDMA_AUTO=3Dy
# CONFIG_IDEDMA_IVB is not set
# CONFIG_DMA_NONPCI is not set
CONFIG_BLK_DEV_IDE_MODES=3Dy
# CONFIG_BLK_DEV_ATARAID is not set

#
# SCSI support
#
# CONFIG_SCSI is not set

#
# Fusion MPT device support
#
# CONFIG_FUSION_BOOT is not set
# CONFIG_FUSION_ISENSE is not set
# CONFIG_FUSION_CTL is not set
# CONFIG_FUSION_LAN is not set

#
# IEEE 1394 (FireWire) support (EXPERIMENTAL)
#
# CONFIG_IEEE1394 is not set

#
# I2O device support
#
# CONFIG_I2O is not set

#
# Network device support
#
CONFIG_NETDEVICES=3Dy

#
# ARCnet devices
#
# CONFIG_ARCNET is not set
CONFIG_DUMMY=3Dm
# CONFIG_BONDING is not set
# CONFIG_EQUALIZER is not set
# CONFIG_TUN is not set
# CONFIG_ETHERTAP is not set
# CONFIG_NET_SB1000 is not set

#
# Ethernet (10 or 100Mbit)
#
CONFIG_NET_ETHERNET=3Dy
CONFIG_HAPPYMEAL=3Dm
CONFIG_SUNGEM=3Dm
CONFIG_NET_VENDOR_3COM=3Dy
CONFIG_EL1=3Dm
CONFIG_EL2=3Dm
CONFIG_ELPLUS=3Dm
CONFIG_EL16=3Dm
CONFIG_EL3=3Dm
CONFIG_3C515=3Dm
CONFIG_VORTEX=3Dm
CONFIG_LANCE=3Dm
CONFIG_NET_VENDOR_SMC=3Dy
CONFIG_WD80x3=3Dm
CONFIG_ULTRA=3Dm
CONFIG_SMC9194=3Dm
CONFIG_NET_VENDOR_RACAL=3Dy
CONFIG_NI5010=3Dm
CONFIG_NI52=3Dm
CONFIG_NI65=3Dm
CONFIG_AT1700=3Dm
CONFIG_DEPCA=3Dm
CONFIG_HP100=3Dm
CONFIG_NET_ISA=3Dy
CONFIG_E2100=3Dm
CONFIG_EWRK3=3Dm
CONFIG_EEXPRESS=3Dm
CONFIG_EEXPRESS_PRO=3Dm
CONFIG_HPLAN_PLUS=3Dm
CONFIG_HPLAN=3Dm
CONFIG_LP486E=3Dm
CONFIG_ETH16I=3Dm
CONFIG_NE2000=3Dm
CONFIG_NET_PCI=3Dy
CONFIG_PCNET32=3Dm
CONFIG_ADAPTEC_STARFIRE=3Dm
CONFIG_AC3200=3Dm
CONFIG_APRICOT=3Dm
CONFIG_CS89x0=3Dm
CONFIG_TULIP=3Dm
# CONFIG_TULIP_MWI is not set
# CONFIG_TULIP_MMIO is not set
CONFIG_DE4X5=3Dm
CONFIG_DGRS=3Dm
CONFIG_DM9102=3Dm
CONFIG_EEPRO100=3Dm
CONFIG_FEALNX=3Dm
CONFIG_NATSEMI=3Dm
CONFIG_NE2K_PCI=3Dm
CONFIG_8139TOO=3Dm
# CONFIG_8139TOO_PIO is not set
# CONFIG_8139TOO_TUNE_TWISTER is not set
# CONFIG_8139TOO_8129 is not set
CONFIG_SIS900=3Dm
CONFIG_SIS900_NEW=3Dm
CONFIG_EPIC100=3Dm
CONFIG_SUNDANCE=3Dm
CONFIG_TLAN=3Dm
CONFIG_VIA_RHINE=3Dm
CONFIG_WINBOND_840=3Dm
# CONFIG_LAN_SAA9730 is not set
# CONFIG_NET_POCKET is not set

#
# Ethernet (1000 Mbit)
#
# CONFIG_ACENIC is not set
# CONFIG_DL2K is not set
# CONFIG_NS83820 is not set
# CONFIG_HAMACHI is not set
# CONFIG_YELLOWFIN is not set
# CONFIG_SK98LIN is not set
# CONFIG_FDDI is not set
# CONFIG_HIPPI is not set
CONFIG_PPP=3Dm
CONFIG_PPP_MULTILINK=3Dy
# CONFIG_PPP_FILTER is not set
CONFIG_PPP_ASYNC=3Dm
CONFIG_PPP_SYNC_TTY=3Dm
CONFIG_PPP_DEFLATE=3Dm
CONFIG_PPP_BSDCOMP=3Dm
CONFIG_PPPOE=3Dm
# CONFIG_SLIP is not set

#
# Wireless LAN (non-hamradio)
#
# CONFIG_NET_RADIO is not set

#
# Token Ring devices
#
# CONFIG_TR is not set
# CONFIG_NET_FC is not set
# CONFIG_RCPCI is not set
# CONFIG_SHAPER is not set

#
# Wan interfaces
#
# CONFIG_WAN is not set

#
# Amateur Radio support
#
# CONFIG_HAMRADIO is not set

#
# IrDA (infrared) support
#
# CONFIG_IRDA is not set

#
# ISDN subsystem
#
# CONFIG_ISDN is not set

#
# Old CD-ROM drivers (not SCSI, not IDE)
#
# CONFIG_CD_NO_IDESCSI is not set

#
# Input core support
#
# CONFIG_INPUT is not set
CONFIG_INPUT_MOUSEDEV_SCREEN_X=3D1024
CONFIG_INPUT_MOUSEDEV_SCREEN_Y=3D768

#
# Character devices
#
CONFIG_VT=3Dy
# CONFIG_ECC is not set
CONFIG_VT_CONSOLE=3Dy
CONFIG_SERIAL=3Dy
# CONFIG_SERIAL_CONSOLE is not set
# CONFIG_SERIAL_EXTENDED is not set
# CONFIG_SERIAL_NONSTANDARD is not set
CONFIG_UNIX98_PTYS=3Dy
CONFIG_UNIX98_PTY_COUNT=3D256

#
# I2C support
#
# CONFIG_I2C is not set

#
# Mice
#
# CONFIG_BUSMOUSE is not set
CONFIG_MOUSE=3Dy
CONFIG_PSMOUSE=3Dy
# CONFIG_82C710_MOUSE is not set
# CONFIG_PC110_PAD is not set

#
# Joysticks
#
# CONFIG_INPUT_GAMEPORT is not set

#
# Input core support is needed for gameports
#

#
# Input core support is needed for joysticks
#
# CONFIG_QIC02_TAPE is not set

#
# Watchdog Cards
#
# CONFIG_WATCHDOG is not set
# CONFIG_INTEL_RNG is not set
# CONFIG_NVRAM is not set
# CONFIG_RTC is not set
# CONFIG_DTLK is not set
# CONFIG_R3964 is not set
# CONFIG_APPLICOM is not set
# CONFIG_SONYPI is not set

#
# Ftape, the floppy tape device driver
#
# CONFIG_FTAPE is not set
CONFIG_AGP=3Dy
CONFIG_AGP_INTEL=3Dy
CONFIG_AGP_I810=3Dy
CONFIG_AGP_VIA=3Dy
CONFIG_AGP_AMD=3Dy
CONFIG_AGP_SIS=3Dy
CONFIG_AGP_ALI=3Dy
# CONFIG_AGP_SWORKS is not set
CONFIG_DRM=3Dy
# CONFIG_DRM_NEW is not set
CONFIG_DRM_OLD=3Dy
# CONFIG_DRM40_TDFX is not set
# CONFIG_DRM40_GAMMA is not set
# CONFIG_DRM40_R128 is not set
# CONFIG_DRM40_RADEON is not set
# CONFIG_DRM40_I810 is not set
# CONFIG_DRM40_MGA is not set

#
# Multimedia devices
#
# CONFIG_VIDEO_DEV is not set

#
# Crypto Hardware support
#
# CONFIG_CRYPTO is not set

#
# File systems
#
# CONFIG_QUOTA is not set
# CONFIG_AUTOFS_FS is not set
CONFIG_AUTOFS4_FS=3Dy
# CONFIG_REISERFS_FS is not set
# CONFIG_ADFS_FS is not set
# CONFIG_AFFS_FS is not set
# CONFIG_HFS_FS is not set
# CONFIG_BFS_FS is not set
# CONFIG_CMS_FS is not set
CONFIG_EXT3_FS=3Dy
CONFIG_JBD=3Dy
CONFIG_JBD_DEBUG=3Dy
CONFIG_FAT_FS=3Dm
CONFIG_MSDOS_FS=3Dm
CONFIG_UMSDOS_FS=3Dm
CONFIG_VFAT_FS=3Dm
# CONFIG_EFS_FS is not set
# CONFIG_CRAMFS is not set
CONFIG_TMPFS=3Dy
# CONFIG_RAMFS is not set
CONFIG_ISO9660_FS=3Dm
CONFIG_JOLIET=3Dy
# CONFIG_MINIX_FS is not set
# CONFIG_FREEVXFS_FS is not set
CONFIG_NTFS_FS=3Dm
# CONFIG_NTFS_RW is not set
CONFIG_HPFS_FS=3Dm
CONFIG_PROC_FS=3Dy
# CONFIG_DEVFS_FS is not set
CONFIG_DEVPTS_FS=3Dy
# CONFIG_QNX4FS_FS is not set
# CONFIG_ROMFS_FS is not set
CONFIG_EXT2_FS=3Dy
# CONFIG_SYSV_FS is not set
CONFIG_UDF_FS=3Dm
# CONFIG_UDF_RW is not set
# CONFIG_UFS_FS is not set

#
# Network File Systems
#
# CONFIG_CODA_FS is not set
# CONFIG_INTERMEZZO_FS is not set
CONFIG_NFS_FS=3Dy
CONFIG_NFS_V3=3Dy
CONFIG_NFSD=3Dy
CONFIG_NFSD_V3=3Dy
CONFIG_SUNRPC=3Dy
CONFIG_LOCKD=3Dy
CONFIG_LOCKD_V4=3Dy
# CONFIG_SMB_FS is not set
# CONFIG_NCP_FS is not set

#
# Partition Types
#
# CONFIG_PARTITION_ADVANCED is not set
CONFIG_MSDOS_PARTITION=3Dy
# CONFIG_SMB_NLS is not set
CONFIG_NLS=3Dy

#
# Native Language Support
#
CONFIG_NLS_DEFAULT=3D"iso8859-1"
CONFIG_NLS_CODEPAGE_437=3Dm
CONFIG_NLS_CODEPAGE_737=3Dm
CONFIG_NLS_CODEPAGE_775=3Dm
CONFIG_NLS_CODEPAGE_850=3Dm
CONFIG_NLS_CODEPAGE_852=3Dm
CONFIG_NLS_CODEPAGE_855=3Dm
CONFIG_NLS_CODEPAGE_857=3Dm
CONFIG_NLS_CODEPAGE_860=3Dm
CONFIG_NLS_CODEPAGE_861=3Dm
CONFIG_NLS_CODEPAGE_862=3Dm
CONFIG_NLS_CODEPAGE_863=3Dm
CONFIG_NLS_CODEPAGE_864=3Dm
CONFIG_NLS_CODEPAGE_865=3Dm
CONFIG_NLS_CODEPAGE_866=3Dm
CONFIG_NLS_CODEPAGE_869=3Dm
CONFIG_NLS_CODEPAGE_936=3Dm
CONFIG_NLS_CODEPAGE_950=3Dm
CONFIG_NLS_CODEPAGE_932=3Dm
CONFIG_NLS_CODEPAGE_949=3Dm
CONFIG_NLS_CODEPAGE_874=3Dm
CONFIG_NLS_ISO8859_8=3Dm
CONFIG_NLS_CODEPAGE_1251=3Dm
CONFIG_NLS_ISO8859_1=3Dm
CONFIG_NLS_ISO8859_2=3Dm
CONFIG_NLS_ISO8859_3=3Dm
CONFIG_NLS_ISO8859_4=3Dm
CONFIG_NLS_ISO8859_5=3Dm
CONFIG_NLS_ISO8859_6=3Dm
CONFIG_NLS_ISO8859_7=3Dm
CONFIG_NLS_ISO8859_9=3Dm
CONFIG_NLS_ISO8859_13=3Dm
CONFIG_NLS_ISO8859_14=3Dm
CONFIG_NLS_ISO8859_15=3Dm
CONFIG_NLS_KOI8_R=3Dm
CONFIG_NLS_KOI8_U=3Dm
CONFIG_NLS_UTF8=3Dm

#
# Console drivers
#
CONFIG_VGA_CONSOLE=3Dy
# CONFIG_VIDEO_SELECT is not set
# CONFIG_MDA_CONSOLE is not set

#
# Frame-buffer support
#
# CONFIG_FB is not set

#
# Sound
#
# CONFIG_SOUND is not set

#
# USB support
#
# CONFIG_USB is not set

#
# USB Controllers
#

#
# USB Device Class drivers
#
# CONFIG_USB_STORAGE_SDDR09 is not set

#
# USB Human Interface Devices (HID)
#

#
#   Input core support is needed for USB HID
#

#
# USB Imaging devices
#

#
# USB Multimedia devices
#

#
#   Video4Linux support is needed for USB Multimedia device support
#

#
# USB Network adaptors
#

#
# USB port drivers
#

#
# USB Serial Converter support
#

#
# Miscellaneous USB drivers
#

#
# Additional device driver support
#
# CONFIG_NET_BROADCOM is not set
# CONFIG_NET_E100 is not set
# CONFIG_NET_E1000 is not set
# CONFIG_CIPE is not set
# CONFIG_CRYPTO_AEP is not set
# CONFIG_FC_QLA2200 is not set
# CONFIG_FC_QLA2300 is not set

#
# Bluetooth support
#
# CONFIG_BLUEZ is not set

#
# Kernel hacking
#
# CONFIG_SMALL is not set
# CONFIG_DEBUG_KERNEL is not set

--=-v5mrCvFAZ4MZ/DdQHUxf--

Yogesh,

On Tuesday 05 February 2002 03:43 pm, Yogesh Sharma
wrote:
> Hi all,
>
> I am trying to setup a pptp server as per instructions in pptp
> documentation by TOM.
>
> Firewall is allowing packets but I am getting following message:
>
> Feb  5 14:26:00 gateway pptpd[32058]: CTRL: Client <ipaddress>
control
> connection started
> Feb  5 14:26:00 gateway pptpd[32058]: CTRL: Starting call (launching
> pppd, opening GRE)
> Feb  5 14:26:00 gateway pppd[32059]: pppd 2.4.1 started by root, uid 0
> Feb  5 14:26:00 gateway pppd[32059]: Connect:  <--> /dev/pts/1
> Feb  5 14:26:01 gateway pptpd[32058]: GRE: read error: Protocol not
> available
> Feb  5 14:26:01 gateway pptpd[32058]: CTRL: PTY read or GRE write failed
> (pty,gre)=3D(4,5)
> Feb  5 14:26:01 gateway pptpd[32058]: CTRL: Client <ipaddress>
control
> connection finished
> Feb  5 14:26:01 gateway pppd[32059]: Modem hangup
> Feb  5 14:26:01 gateway pppd[32059]: Connection terminated.
> Feb  5 14:26:01 gateway pppd[32059]: Exit.
>
>
> I compiled everything as instructed in the documentation. I did loaded
> the ip_gre module but it didn''t work out.
>
The ip_gre module implements GRE tunnels and has nothing to do with PPTP.
> I am using RH 7.2 Kernel 2.4.9-21
> IP Tables 1.2.4-2
> Shorewall 1.2-5 with two-interface.tgz (sample)
> poptop 1.1.2
> ppp 2.4.1
>
> Please help if u have any idea where I can the support for GRE Protcol
The error message is misleading and doesn''t necessarily mean the you
are=20
missing GRE support -- When you have a connection problem with ppp on linux,=20
it''s a good idea to specify the debug option for pppd and to modify
your=20
/etc/syslog.conf file to log DAEMON.DEBUG messages to a separate log file).=20
You get a lot more information about what is going on (be sure to restart=20
syslogd after you change /etcf/syslog.conf).
>
> Yogesh
>
> PS: Attaching .config for kernel compile.
Looks ok. Hopefully you are loading the ppp_async, ppp_generic, ppp_mppe and=20
slhc modules.
> DO I have to added tunnel in /etc/shorewall/tunnels ?
No -- you need to add entries in:

/etc/shorewall/zones (unless you want to make remote clients part of the=20
local zone).
/etc/shorewall/interfaces (add ppp interface and associate it with a zone)
/etc/shorewall/hosts (if you also run a pptp client on your firewall).
/etc/shorewall/policy (either loc->loc or <client zone>->loc)
/etc/shorewall/rules (add protocol 47 and TCP port 1723 in net->fw -- you=20
might also want protocol 47 open from fw->net; my instructions don''t
include=20
that advice but I have that open for other reasons and it may play a role=20
here).

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Hi TOm,

Sorry for delay in reply.

Instead of compiling from source, I downloaded rpms and it worked.
Actually client computer was also behind the firewall thats why problem
was coming. Can masquereded computer connect to vpn server ?

But still I am not able to ping other computers in network any clue ?
Route looks ok (not confident). Default gateway is the remote ip
assigned by poptop.

Yogesh

On Tue, 2002-02-05 at 16:38, Tom Eastep wrote:
> Yogesh,
> 
> 
> The ip_gre module implements GRE tunnels and has nothing to do with PPTP.
> 
> 
> The error message is misleading and doesn''t necessarily mean the
you are
> missing GRE support -- When you have a connection problem with ppp on
linux,
> it''s a good idea to specify the debug option for pppd and to
modify your
> /etc/syslog.conf file to log DAEMON.DEBUG messages to a separate log file).
> You get a lot more information about what is going on (be sure to restart 
> syslogd after you change /etcf/syslog.conf).
> 
> 
> Looks ok. Hopefully you are loading the ppp_async, ppp_generic, ppp_mppe
and
> slhc modules.
> 
> 
> No -- you need to add entries in:
> 
> /etc/shorewall/zones (unless you want to make remote clients part of the 
> local zone).
> /etc/shorewall/interfaces (add ppp interface and associate it with a zone)
> /etc/shorewall/hosts (if you also run a pptp client on your firewall).
> /etc/shorewall/policy (either loc->loc or <client zone>->loc)
> /etc/shorewall/rules (add protocol 47 and TCP port 1723 in net->fw --
you
> might also want protocol 47 open from fw->net; my instructions
don''t include
> that advice but I have that open for other reasons and it may play a role 
> here).
> 
> -Tom
> -- 
> Tom Eastep    \ A Firewall for Linux 2.4.*
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>

Yogesh,

On Thursday 07 February 2002 04:42 pm, Yogesh Sharma
wrote:
> Hi TOm,
>
> Sorry for delay in reply.
>
> Instead of compiling from source, I downloaded rpms and it worked.
> Actually client computer was also behind the firewall thats why problem
> was coming. Can masquereded computer connect to vpn server ?
What kind of firewall?
>
> But still I am not able to ping other computers in network any clue ?
> Route looks ok (not confident).
What do the routes look like on the client? Are you seeing any Shorewall=20
messages being logged on the VPN server?

Default gateway is the remote ip assigned by poptop.

So the client is set up to use the default gateway on the server?

-Tom
--=20
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Hi All,

Sorry this is long, but I don''t know how to explain this briefly...

I have a SuSE 7.3 box running shorewall, and it acts as a basic packet filter,
using proxy-arp.  Works great.  The problem is IPSec won''t connect to a
known
working LRP/Eigerstein VPN gateway.  Tcpdump shows ISAKMP requests going in 
both directions via a linux box between the gateways, acting as a router.

Shorewall status doesn''t show any packets being denied, but I have a
(naive?)
feeling it is something with my rules or other Shorewall configuration. 
I''m
stumped, and I''m sure it''s something obvious.  Can someone
clue me? :)

I have copious debug info and barfs I will spare you from, but if the info 
below is not complete, I''ll gladly provide more.  I''ve spent
so much time
picking thru logs, my eyes are crossed :P

Any help appreciated,

Dan

============================================================
Logs on Shorewall box show a repeating pattern of:
Feb  6 01:46:55 netgate Pluto[12732]: | event after this is EVENT_RETRANSMIT in 
0 seconds
Feb  6 01:46:55 netgate Pluto[12732]: | handling event EVENT_RETRANSMIT for 
209.98.58.244 "right-left" #5
Feb  6 01:46:55 netgate Pluto[12732]: | sending:
Feb  6 01:46:55 netgate Pluto[12732]: |   60 1f a5 d1  1e 80 82 fe  bf f5 00 
21  be f1 55 9d
  
Logs on the Eiger box show:
Feb  7 12:50:28 vpngate Pluto[4783]#164: starting keying attempt 165 of an 
unlimited number
Feb  7 12:50:28 vpngate Pluto[4783]: "right-left" #165: initiating
Main Mode
Feb  7 13:03:38 vpngate Pluto[4783]: "right-left" #165: max number of 
retransmissions (20) reached STATE_MAIN_I1.


I put the following configs in place, based on instructions kindly provided 
from Tom, as follows:


Interfaces:
net	eth0		detect	norfc1918
loc	eth1		detect	routestopped
loc	ipsec+		-	multi

Zones:
net	Net		Internet 
loc	Local		Local networks

Configured tunnels per instructions on website:
# TYPE		ZONE	GATEWAY		GATEWAY ZONE
ipsec  		net  	209.98.58.244

FWIW, I modified the init and start files to work with SuSE thus:
init: ipsec setup stop
start: ipsec setup start


Rules:
ACCEPT		$FW		net		udp	ntp
#
# Allow pings to and from firewall
ACCEPT		$FW		net		icmp	echo-request
ACCEPT		net		$FW		icmp	echo-request
ACCEPT		loc		$FW		icmp	echo-request
#
#Accept helpful services on firewall
ACCEPT		$FW		net		tcp	domain,ssh,whois,www
ACCEPT		$FW		net		udp	domain
#
# Allow SSH from the local network
#
ACCEPT		loc		$FW		tcp	ssh
#
# Internet to Firewall -- to allow IPSec inbound
ACCEPT		net		$FW		tcp	ssh
ACCEPT		net		$FW		50
ACCEPT		net		$FW		51
ACCEPT		net		$FW		udp	500
#
# Firewall to Internet -- to allow IPSec outbound
ACCEPT		$FW		net	udp   500
ACCEPT		$FW		net	udp   domain
ACCEPT		$FW		net	50
ACCEPT		net		$FW	51
#
# Reject inbound auth and www, with no comment
DROP		net             $FW		tcp	auth,www
	

Policy:
loc		loc		ACCEPT
loc		net		ACCEPT
net		all		DROP		info
all		all		REJECT		info

Dan,
> -----Original Message-----
> From: shorewall-users-admin@shorewall.net 
> [mailto:shorewall-users-admin@shorewall.net] On Behalf Of 
> dgilleece@optimumnetworks.com
> Sent: Friday, February 08, 2002 12:58 AM
> To: shorewall-users
> Subject: [Shorewall-users] Sanity Check on VPN With No NAT
> #
> # Internet to Firewall -- to allow IPSec inbound
> ACCEPT		net		$FW		50
> ACCEPT		net		$FW		51
> ACCEPT		net		$FW		udp	500
> #
> # Firewall to Internet -- to allow IPSec outbound
> ACCEPT		$FW		net	udp   500
> ACCEPT		$FW		net	50
> ACCEPT		net		$FW	51
All of the above rules are superfluous and duplicate rules already
established by Shorewall as a result of your entry in the tunnels file.
> #
> # Reject inbound auth and www, with no comment
> DROP		net             $FW		tcp	auth,www
Silently dropping auth can lead to connection problems with some mail
and ftp servers.

With the noted exceptions, your Shorewall setup looks fine -- have you
used tcpdump to see if the ISAKMP packets are being exchanged?

-Tom

Tom,

This is the problem. Internal Lan is 192.2.3.0/24 and IP assigned by
poptop to client is 192.2.3.201 to 250 and Local IP for poptop is
192.2.3.251.

How and where should I add ARP entry ?

-Yogesh

On Fri, 2002-02-08 at 11:50, Tom Eastep wrote:
> I take it that 192.2.3.201 isn''t the internal IP address of your
PopTop
> system -- when assigning a local-ip for PopTop, you MUST use the ip
> address of your internal LAN interface or you MUST manually add an ARP
> entry for the address you use on the local interface.
> 
> -Tom

> -----Original Message-----
> From: Yogesh Sharma [mailto:ysharma@mtsiinc.com]
> Sent: Friday, February 08, 2002 2:02 PM
> To: shorewall-users@shorewall.net
> Subject: RE: [Shorewall-users] off the list topic (POPTOP pptp server)
> 
> 
> Tom,
> 
> This is the problem. Internal Lan is 192.2.3.0/24 and IP assigned by
> poptop to client is 192.2.3.201 to 250 and Local IP for poptop is
> 192.2.3.251.
> 
> How and where should I add ARP entry ?
Based on the above information, all you should have to do is add the
"proxyarp" statement to your /etc/ppp/options file. Then when
PoPToP/pppd
establishes the tunnel, it should be able to determine what interface will
answer arp requests on behalf of the pptp client. Hence the term proxy arp.

Check your logfiles after establishing your tunnel. You should see a line
similar to the following shortly after the local/remote ip assignments.

Jan 08 17:45:03 voyager pppd[14500]: found interface eth0 for proxy arp

Steve Cowles

Yogesh has an odd setup where he has the same subnet defined for both
interfaces on his firewall (he inherited it, he didn''t invent it). The
ARP table entry is being added on the wrong interface since pppd adds it
on the first interface that it finds that matches the remote client''s
address.

He''s currently in the process of "turning his firewall
around" :-)

-Tom
> -----Original Message-----
> From: shorewall-users-admin@shorewall.net 
> [mailto:shorewall-users-admin@shorewall.net] On Behalf Of 
> Cowles, Steve
> Sent: Friday, February 08, 2002 2:46 PM
> To: shorewall-users@shorewall.net
> Subject: RE: [Shorewall-users] off the list topic (POPTOP pptp server)
> 
> 
> > -----Original Message-----
> > From: Yogesh Sharma [mailto:ysharma@mtsiinc.com]
> > Sent: Friday, February 08, 2002 2:02 PM
> > To: shorewall-users@shorewall.net
> > Subject: RE: [Shorewall-users] off the list topic (POPTOP 
> pptp server)
> > 
> > 
> > Tom,
> > 
> > This is the problem. Internal Lan is 192.2.3.0/24 and IP assigned by
> > poptop to client is 192.2.3.201 to 250 and Local IP for poptop is
> > 192.2.3.251.
> > 
> > How and where should I add ARP entry ?
> 
> Based on the above information, all you should have to do is add the
> "proxyarp" statement to your /etc/ppp/options file. Then when 
> PoPToP/pppd
> establishes the tunnel, it should be able to determine what 
> interface will
> answer arp requests on behalf of the pptp client. Hence the 
> term proxy arp.
> 
> Check your logfiles after establishing your tunnel. You 
> should see a line
> similar to the following shortly after the local/remote ip 
> assignments.
> 
> Jan 08 17:45:03 voyager pppd[14500]: found interface eth0 for 
> proxy arp
> 
> Steve Cowles
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

On Fri, 2002-02-08 at 14:40, Tom Eastep wrote:
> You can try it -- I suppose that the DSL router also assigns a subnet
> mask of 255.255.255.0?
> 
Tue
But I can try changing it

Argh...

It all boiled down to ONE silly setting, as I suspected.  The LRP box is 
configured by default for rp_filter=1 as an anti-spoof measure.  In the LRP 
docs I used, the only mention of rp_filter cautioned against disabling it, 
stated it created "no problems," and left it at that.  Add to that the
fact
that two LRP VPN boxes (running NAT) interoperate perfectly with rp_filter=1, 
no problem.  That''s why I declared my LRP box a "known good"
config.  I am
assuming that the difference has something to do with the routing requirements 
of the proxyarp/legal address setup --- it pukes on the route filtering.

Also, for the archives:

Configuring Suse 7.3 with Shorewall and proxy arp requires these two config 
changes:

/etc/shorewall/init
ipsec setup stop

/etc/shorewall/start
ipsec setup start

... to keep the tunnels from getting mis-configured.  The suggested commands 
given in the Shorewall docs don''t work for Suse.

Thanks again for all the help --- knowing my base Shorewall config was sound 
saved me a ton of second-guessing.

Regards,

Dan

Quoting Tom Eastep <teastep@shorewall.net>:
> Dan,
> 
> > -----Original Message-----
> > From: shorewall-users-admin@shorewall.net 
> > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of 
> > dgilleece@optimumnetworks.com
> > Sent: Friday, February 08, 2002 12:58 AM
> > To: shorewall-users
> > Subject: [Shorewall-users] Sanity Check on VPN With No NAT
> > #
> > # Internet to Firewall -- to allow IPSec inbound
> > ACCEPT		net		$FW		50
> > ACCEPT		net		$FW		51
> > ACCEPT		net		$FW		udp	500
> > #
> > # Firewall to Internet -- to allow IPSec outbound
> > ACCEPT		$FW		net	udp   500
> > ACCEPT		$FW		net	50
> > ACCEPT		net		$FW	51
> 
> All of the above rules are superfluous and duplicate rules already
> established by Shorewall as a result of your entry in the tunnels
> file.
> 
> > #
> > # Reject inbound auth and www, with no comment
> > DROP		net             $FW		tcp	auth,www
> 
> Silently dropping auth can lead to connection problems with some mail
> and ftp servers.
> 
> With the noted exceptions, your Shorewall setup looks fine -- have you
> used tcpdump to see if the ISAKMP packets are being exchanged?
> 
> -Tom
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

Tom,

Finally after changing external interface ip address, it worked. Now internal
and external networks are on two different subnets.

Thanks Tom for your time and expert advice.

Yogesh

Yogesh Sharma wrote:
> Tom,
>
> Finally after changing external interface ip address, it worked. Now
internal
> and external networks are on two different subnets.
>
> Thanks Tom for your time and expert advice.
Soon you''re going to have to start charging for it!  ;-)

Paul
http://paulgear.webhop.net