What would be the "least hassle" way of enabling a Win XP client to establish some kind of VPN to my system? I would want to allow the person connecting from a "roadwarrior setup" to be able to map a windows drive to a fileserver that is behind a shorewall box (Running on Debian 3.0). I am not sure what parts of PPTP setup and such i should be looking at to make this happen?
On Sun, 30 Jun 2002, j2 wrote:> What would be the "least hassle" way of enabling a Win XP client to > establish some kind of VPN to my system? I would want to allow the person > connecting from a "roadwarrior setup" to be able to map a windows drive to a > fileserver that is behind a shorewall box (Running on Debian 3.0). I am not > sure what parts of PPTP setup and such i should be looking at to make this > happen? >If the fileserver that is behind a shorewall box" runs a version of Windows that has a PPTP server (e.g., Windows NT or Windows 2k) then configure that PPTP server then see: http://www.shorewall.net/PPTP.htm#ServerBehind Otherwise, look at http://www.shorewall.net/PPTP.htm#ServerFW The latter describes what I do to provide that sort of Roadwarrior support since my Windows boxes run XP Pro which doesn''t include a PPTP server. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> If the fileserver that is behind a shorewall box" runs a version of > Windows that has a PPTP server (e.g., Windows NT or Windows 2k) then > configure that PPTP server then see:Uhm, Linux box running Samba actually, does that change anything?> The latter describes what I do to provide that sort of Roadwarrior > support since my Windows boxes run XP Pro which doesn''t include a PPTP > server.Im still a bit confused. So i should run the pptp server on my firewall for simplicity?
On Sun, 30 Jun 2002, j2 wrote:> > Uhm, Linux box running Samba actually, does that change anything?Yes -- it means that building and configuring the PPTP server is a pain in the ass regardless of whether you run it on the file server or on your firewall.> > > The latter describes what I do to provide that sort of Roadwarrior > > support since my Windows boxes run XP Pro which doesn''t include a PPTP > > server. > > Im still a bit confused. So i should run the pptp server on my firewall for > simplicity? >That''s my choice. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> If the fileserver that is behind a shorewall box" runs a version of > Windows that has a PPTP server (e.g., Windows NT or Windows 2k) then > configure that PPTP server then see:And to add. Client will (first of all) be coming in from the "net" zone (The XP box is on ADSL).
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "j2" <spamfilter2@mupp.net> Cc: <shorewall-users@shorewall.net> Sent: Sunday, June 30, 2002 1:58 AM Subject: Re: [Shorewall-users] [Off topic] PPTP suggestions.> On Sun, 30 Jun 2002, j2 wrote: > > > > > Uhm, Linux box running Samba actually, does that change anything? > > Yes -- it means that building and configuring the PPTP server is a pain in > the ass regardless of whether you run it on the file server or on your > firewall.Follow. Is there a simpler way to do this if all you want is file mapping over WAN?> That''s my choice.Follow. Thanks.
On Sun, 30 Jun 2002, j2 wrote:> > Follow. Is there a simpler way to do this if all you want is file mapping > over WAN?If there was a simpler approach, I would have taken it... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> If there was a simpler approach, I would have taken it...Copy that. Thanks for your input.
Does anyone know if the pptpd package in debian 3.0 is "all that is needed" to get XP clients (coming in from the net zone) to be abl eto connect to a pptpd running on a "shorewall box"? As in: would i still have to patch stuff? The info says it is compatible with MS? It does just state dialup via ppp tho.. Input anyone? cookiemonster:/# apt-cache show pptpd Package: pptpd Priority: optional Section: net Installed-Size: 164 Maintainer: Rene Mayrhofer <rmayr@debian.org> Architecture: i386 Version: 1.1.2-1.2 Depends: libc6 (>= 2.2.4-4), libwrap0, ppp, netbase, debconf, perl-base Filename: pool/main/p/pptpd/pptpd_1.1.2-1.2_i386.deb Size: 54750 MD5sum: 9126ad009354ea429a9c0fd8ca72c8a1 Description: PoPToP Point to Point Tunneling Server This implements a Virtual Private Networking Server (VPN) that is compatible with Microsoft VPN clients. It allows windows users to connect to an internal firewalled network using their dialup.
Last time that I checked most PPTP clients required encryption of some form - indeed you probably want that. THat does require a kernel patch [as far as I know]. It requires that the server have a kernel pathc, and a patched version of ppp. js j2 wrote:>Does anyone know if the pptpd package in debian 3.0 is "all that is needed" >to get XP clients (coming in from the net zone) to be abl eto connect to a >pptpd running on a "shorewall box"? As in: would i still have to patch >stuff? The info says it is compatible with MS? It does just state dialup via >ppp tho.. Input anyone? > >cookiemonster:/# apt-cache show pptpd >Package: pptpd >Priority: optional >Section: net >Installed-Size: 164 >Maintainer: Rene Mayrhofer <rmayr@debian.org> >Architecture: i386 >Version: 1.1.2-1.2 >Depends: libc6 (>= 2.2.4-4), libwrap0, ppp, netbase, debconf, perl-base >Filename: pool/main/p/pptpd/pptpd_1.1.2-1.2_i386.deb >Size: 54750 >MD5sum: 9126ad009354ea429a9c0fd8ca72c8a1 >Description: PoPToP Point to Point Tunneling Server > This implements a Virtual Private Networking Server (VPN) that is >compatible > with Microsoft VPN clients. It allows windows users to connect to an > internal firewalled network using their dialup. > >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://www.shorewall.net/mailman/listinfo/shorewall-users > >
You don''t have to use encryption, but it''s not a bad idea. Make sure you have a rule like this: ACCEPT net $FW 47 ACCEPT net $FW tcp 1723 I think that''s right. The first one is to allow protocol 47 ... GRE tunnel IIRC (probably wrong .. Been a while) and the second one, tcp port 1723 is for making the actual connection. The GRE protocol is basically how the data is encapsulated. I run PoPToP (pptpd) (http://www.poptop.org) on a Mandrak 8.2 system. The only problem I have with XP clients is after disconnect, they have to reboot to connect again. Meanwhile, 9x/ME clients can disconnect and reconnect all day long without rebooting. It could be something with the XP configuration, I haven''t really looked into it yet. Also, if you''re not using encryption, make sure you turn on the "require encryption" on you XP clients. I believe you have to go into the "advanced" settings in the security tab for the connection and turn encryption off or make it optional. Hope this helps. Charlie -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] On Behalf Of j2 Sent: Sunday, June 30, 2002 1:27 PM Cc: shorewall-users@shorewall.net Subject: [Shorewall-users] Debian pptpd Does anyone know if the pptpd package in debian 3.0 is "all that is needed" to get XP clients (coming in from the net zone) to be abl eto connect to a pptpd running on a "shorewall box"? As in: would i still have to patch stuff? The info says it is compatible with MS? It does just state dialup via ppp tho.. Input anyone? cookiemonster:/# apt-cache show pptpd Package: pptpd Priority: optional Section: net Installed-Size: 164 Maintainer: Rene Mayrhofer <rmayr@debian.org> Architecture: i386 Version: 1.1.2-1.2 Depends: libc6 (>= 2.2.4-4), libwrap0, ppp, netbase, debconf, perl-base Filename: pool/main/p/pptpd/pptpd_1.1.2-1.2_i386.deb Size: 54750 MD5sum: 9126ad009354ea429a9c0fd8ca72c8a1 Description: PoPToP Point to Point Tunneling Server This implements a Virtual Private Networking Server (VPN) that is compatible with Microsoft VPN clients. It allows windows users to connect to an internal firewalled network using their dialup. _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
tom has good infos at: http://www.shorewall.net/PPTP.htm i am running poptop on a suse 7.3 (you must patch ppp and the kernel to get it work with encryption) no troubles with xp, 2000 and nt4.0 clients. are you running a personal firewall on you xp system? my options file: ipparam PoPToP lock mtu 1490 mru 1490 ms-dns 192.168.1.1 ms-dns 192.168.1.2 ms-wins 192.168.1.1 ms-wins 192.168.1.2 multilink proxyarp auth #+chap #+chapms +chapms-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 30 lcp-echo-interval 5 deflate 0 mppe-128 mppe-stateless require-mppe require-mppe-stateless let me know if you need my perfekt working shorewall files. best regards Wolfgang -----Ursprungliche Nachricht----- Von: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net]Im Auftrag von Charles J. Boening Gesendet: Montag, 01. Juli 2002 16:02 An: ''j2'' Cc: shorewall-users@shorewall.net Betreff: RE: [Shorewall-users] Debian pptpd You don''t have to use encryption, but it''s not a bad idea. Make sure you have a rule like this: ACCEPT net $FW 47 ACCEPT net $FW tcp 1723 I think that''s right. The first one is to allow protocol 47 ... GRE tunnel IIRC (probably wrong .. Been a while) and the second one, tcp port 1723 is for making the actual connection. The GRE protocol is basically how the data is encapsulated. I run PoPToP (pptpd) (http://www.poptop.org) on a Mandrak 8.2 system. The only problem I have with XP clients is after disconnect, they have to reboot to connect again. Meanwhile, 9x/ME clients can disconnect and reconnect all day long without rebooting. It could be something with the XP configuration, I haven''t really looked into it yet. Also, if you''re not using encryption, make sure you turn on the "require encryption" on you XP clients. I believe you have to go into the "advanced" settings in the security tab for the connection and turn encryption off or make it optional. Hope this helps. Charlie