Hi all, I have a VPN server behind the firewall and for now I want to just forward the vpn traffic to that server. I have set up the belt-and-suspenders approach firewall following the instructions on (http://www.skippy.net/linux/firewall/) The VPN server is a windows NT server with PPTP installed. Now it works fine if I have the VPN server in DMZ and allow VPN traffic 1723 and protocol 47 through firewall1 to that machine (with proxyARP). The VPN servers external NIC is in DMZ and Internal Nic is in local (which I don''t want to do). What I want to achieve is to have the machine in local network and forward (DNAT ) the traffic of PPTP to the local ip. I have followed the instructions "PPPT Server running behind your Firewall section on http://www.shorewall.net/PPTP.htm but I can''t seem to get the connection establish. On the client it says no answer from server. I don''t get anything on the shorewall log either. I am not sure whether I need t do anything on my second firewall for DNATing VPN traffic? DNAT on port www, ftp and smtp is working fine. Plus does any have Doc. on setting up a linux VPN server behind the firewall? I want eventually use a linux machine instead of NT. But first I want to get this working. Please do let me know if I am missing something here? Thanks for you help in advance. My shorewall version is 1.3.3 On Redhat 7.3. A. Karim.
>Hi all, >I have a VPN server behind the firewall and for now I want to justforward the vpn traffic to that server. =20> >I have set up the belt-and-suspenders approach firewall following theinstructions on (http://www.skippy.net/linux/firewall/)=20> >The VPN server is a windows NT server with PPTP installed. Now it worksfine if I have the VPN server in DMZ and allow VPN traffic 1723 >>>and protocol 47 through firewall1 to that machine (with proxyARP). The VPN servers external NIC is in DMZ and Internal Nic is in local=20 Can you see any packets from your vpn-client at your shorewall-box ? run tcpdump Is routing ok ? Do you use rfc1918 ip-range in your local net / dmz ? *** I would never run a vpn with a win-pptp server, because it has two security leaks: If you let your clients authenticate with pap, the username and password is not encypted. The traffic is encrypted. If you let your clients authenitcate with chap, the username and password is encrypted. The traffic not. Don=B4t waste your time with the m$-configuration. Try ipsec with linux instead: Look at www.freeswan.org Documentation & http://jixen.tripod.com, & very good win32-client http://vpn.ebootis.de=20 *** jn
Abdul Karim wrote:> > The VPN server is a windows NT server with PPTP installed. Now it works fine > if I have the VPN server in DMZ and allow VPN traffic 1723 and protocol 47 > through firewall1 to that machine (with proxyARP). The VPN servers external > NIC is in DMZ and Internal Nic is in local (which I don''t want to do). What > I want to achieve is to have the machine in local network and forward (DNAT > ) the traffic of PPTP to the local ip. I have followed the instructions > "PPPT Server running behind your Firewall section on > http://www.shorewall.net/PPTP.htm but I can''t seem to get the connection > establish. On the client it says no answer from server. I don''t get > anything on the shorewall log either. I am not sure whether I need t do > anything on my second firewall for DNATing VPN traffic? DNAT on port www, > ftp and smtp is working fine.The outer firewall needs to pass PPTP traffic just as it is when you have the PPTP server in the DMZ except that it needs to allow that traffic to be passed to the IP of the inner firewall. The inner firewall is the one that needs to be configured for DNAT. PPTP clients will then connect using the external IP address of the inner firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Abdul Karim wrote:> Hi Tom, > I believe I am already doing this. I am allowing VPN traffic through outer > firewall to the external IP of the inner firewall. and in inner firewall I > am DNATing vpn traffic to the local machine. I do not get any logs relating > to any reject or drop or anything else relating to the VPN traffic on that > external IP I am using to connect. Hence I am assuming the firewall is > allowing the traffic through, but not sure if DNATing VPN traffic requires > something different than normal DNATing? >It requires the DNAT rules shown at http://www.shorewall.net/PPTP.htm#ServerBehind - no more and no less. And you can always use the "shorewall show nat" command to see if the TCP 1723 and the GRE packets are reaching the inner firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hi Tom, I believe I am already doing this. I am allowing VPN traffic through outer firewall to the external IP of the inner firewall. and in inner firewall I am DNATing vpn traffic to the local machine. I do not get any logs relating to any reject or drop or anything else relating to the VPN traffic on that external IP I am using to connect. Hence I am assuming the firewall is allowing the traffic through, but not sure if DNATing VPN traffic requires something different than normal DNATing? Thanks. Karim. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, October 11, 2002 3:00 PM To: Abdul Karim Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] VPN PPTP DNAT does not work Abdul Karim wrote:> > The VPN server is a windows NT server with PPTP installed. Now it worksfine> if I have the VPN server in DMZ and allow VPN traffic 1723 and protocol 47 > through firewall1 to that machine (with proxyARP). The VPN serversexternal> NIC is in DMZ and Internal Nic is in local (which I don''t want to do).What> I want to achieve is to have the machine in local network and forward(DNAT> ) the traffic of PPTP to the local ip. I have followed the instructions > "PPPT Server running behind your Firewall section on > http://www.shorewall.net/PPTP.htm but I can''t seem to get the connection > establish. On the client it says no answer from server. I don''t get > anything on the shorewall log either. I am not sure whether I need t do > anything on my second firewall for DNATing VPN traffic? DNAT on port www, > ftp and smtp is working fine.The outer firewall needs to pass PPTP traffic just as it is when you have the PPTP server in the DMZ except that it needs to allow that traffic to be passed to the IP of the inner firewall. The inner firewall is the one that needs to be configured for DNAT. PPTP clients will then connect using the external IP address of the inner firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Abdul Karim wrote:> In my inner firewall I have the following. > I know the 1723 and GRE traffic is reaching the inner firewall because when > I take the two line off below than I see reject errors being logged in the > inner firewall but when have the two line below no errors are being shown. > > DNAT net loc:<server address> tcp 1723 - <external address> > DNAT net loc:<server address> 47 - - <external address> > > > And on the outer file I have > > ACCEPT net dmz:<external address> tcp 1723 > ACCEPT net dmz:<external address> 47 - > > External address is also in the proxyARP file on both firewall. >It should be an address ON the inner firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
In my inner firewall I have the following. I know the 1723 and GRE traffic is reaching the inner firewall because when I take the two line off below than I see reject errors being logged in the inner firewall but when have the two line below no errors are being shown. DNAT net loc:<server address> tcp 1723 - <external address> DNAT net loc:<server address> 47 - - <external address> And on the outer file I have ACCEPT net dmz:<external address> tcp 1723 ACCEPT net dmz:<external address> 47 - External address is also in the proxyARP file on both firewall. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, October 11, 2002 3:22 PM To: Abdul Karim Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] VPN PPTP DNAT does not work Abdul Karim wrote:> Hi Tom, > I believe I am already doing this. I am allowing VPN traffic through outer > firewall to the external IP of the inner firewall. and in inner firewall I > am DNATing vpn traffic to the local machine. I do not get any logsrelating> to any reject or drop or anything else relating to the VPN traffic on that > external IP I am using to connect. Hence I am assuming the firewall is > allowing the traffic through, but not sure if DNATing VPN traffic requires > something different than normal DNATing? >It requires the DNAT rules shown at http://www.shorewall.net/PPTP.htm#ServerBehind - no more and no less. And you can always use the "shorewall show nat" command to see if the TCP 1723 and the GRE packets are reaching the inner firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Abdul Karim wrote:> Hi Tom not sure what you mean. Ok there''s my setting for the vpn. > > just making up the ip range. Assume 10.10.10.0/24 is my public IP range. >It looks like you''ve set it up correctly. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hi Tom not sure what you mean. Ok there''s my setting for the vpn. just making up the ip range. Assume 10.10.10.0/24 is my public IP range. Firewall1 (outer firewall) EXT address 10.10.10.1 (eth0) Int. address 192.168.0.1 (eth1) Firewall2 (inner firewall) EXT address 10.10.10.2 (eth0) INT ip. 192.168.2.1 (inter nic is masq.) (eth1) proyARP file on Firewall1 10.10.10.2 eth1 eth0 No rules file on firewall1 ACCEPT net dmz:10.10.10.2 tcp 1723 ACCEPT net dmz:10.10.10.2 47 - Firewall2 Rules file on firewall2 DNAT net loc:192.168.2.196 tcp 1723 DNAT net loc:192.168.2.196 47 - aslo tried. DNAT net loc:192.168.2.196 tcp 1723 - 10.10.10.2 DNAT net loc:192.168.2.196 47 - - 10.10.10.2 I am wondering if I need to do anything else on firewall itself? Does DNAT work different for VPN? -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, October 11, 2002 3:36 PM To: Abdul Karim Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] VPN PPTP DNAT does not work Abdul Karim wrote:> In my inner firewall I have the following. > I know the 1723 and GRE traffic is reaching the inner firewall becausewhen> I take the two line off below than I see reject errors being logged in the > inner firewall but when have the two line below no errors are being shown.> > DNAT net loc:<server address> tcp 1723 - <external address> > DNAT net loc:<server address> 47 - - <external address> > > > And on the outer file I have > > ACCEPT net dmz:<external address> tcp 1723 > ACCEPT net dmz:<external address> 47 - > > External address is also in the proxyARP file on both firewall. >It should be an address ON the inner firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Abdul Karim wrote:> If that''s the case, any idea on why it''s no DNATing VPN traffic?\You have given me absolutely no evidence to suggest that DNAT is the problem. I asked you to look at the output of "shorewall show nat" to see if the rules you have are matching the traffic but instead you tell me that if you remove rules you see reject messages. That''s not really the same thing.> DNAT any other traffic. Any thoughts?No I don''t -- tcpdump and ethereal are your friends -- use them! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
If that''s the case, any idea on why it''s no DNATing VPN traffic? I could DNAT any other traffic. Any thoughts? -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, October 11, 2002 5:33 PM To: Abdul Karim Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] VPN PPTP DNAT does not work Abdul Karim wrote:> Hi Tom not sure what you mean. Ok there''s my setting for the vpn. > > just making up the ip range. Assume 10.10.10.0/24 is my public IP range. >It looks like you''ve set it up correctly. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Abdul Karim wrote:> If that''s the case, any idea on why it''s no DNATing VPN traffic? I could > DNAT any other traffic. Any thoughts?When you moved the VPN server into your inner network, did you change its default gateway appropriately? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hi Tom, The default gateway is the internal ip address of my inner firewall. I am not suggesting there might be a DNAT problem, I am suspecting that I am doing something wrong, not sure what. I suspect I might be setting vpn server wrong, I don''t think am totally sure if I set-up the VPN server correctly when I moved the it to the internal network. When the machine was not in the internal network, I had two network card, one external and one internal, but what shall I change to if I move the machine to the internal LAN only? right now I have both nic''s having internal ip with one having the default gateway (IP of the inner firewall). is this correct? Has anyone set-up a VPN server behind the firewall, if so I would appreciate it if you can send me the docs of setting up the VPN server behind the firewall? Any pointers will be greatly appreciated. Thanks. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, October 11, 2002 6:06 PM To: Abdul Karim Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] VPN PPTP DNAT does not work Abdul Karim wrote:> If that''s the case, any idea on why it''s no DNATing VPN traffic? I could > DNAT any other traffic. Any thoughts?When you moved the VPN server into your inner network, did you change its default gateway appropriately? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Abdul Karim wrote:> Hi Tom, > The default gateway is the internal ip address of my inner firewall. > I am not suggesting there might be a DNAT problem, I am suspecting that I am > doing something wrong, not sure what.I suspect it is the setup of your VPN server.> > I suspect I might be setting vpn server wrong, I don''t think am totally sure > if I set-up the VPN server correctly when I moved the it to the internal > network. When the machine was not in the internal network, I had two network > card, one external and one internal, but what shall I change to if I move > the machine to the internal LAN only? right now I have both nic''s having > internal ip with one having the default gateway (IP of the inner firewall). > is this correct? Has anyone set-up a VPN server behind the firewall, if so I > would appreciate it if you can send me the docs of setting up the VPN server > behind the firewall? Any pointers will be greatly appreciated. >I would just have a single NIC in the VPN server myself. It should have an internal address and should use the internal IP of the inner firewall as its default gateway. There are other people on the list who run DNATed VPN servers and hopefully one of them will respond. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> -----Original Message----- > From: Tom Eastep > Sent: Monday, October 14, 2002 7:55 AM > To: Abdul Karim > > Abdul Karim wrote: > > Hi Tom, > > The default gateway is the internal ip address of my inner firewall. > > I am not suggesting there might be a DNAT problem, I am suspecting > > that I am doing something wrong, not sure what. > > I suspect it is the setup of your VPN server. > > > > > I suspect I might be setting vpn server wrong, I don''t > > think am totally sure if I set-up the VPN server correctly > > when I moved the it to the internal network. When the > > machine was not in the internal network, I had two network > > card, one external and one internal, but what shall I > > change to if I move the machine to the internal LAN only? > > right now I have both nic''s having internal ip with one > > having the default gateway (IP of the inner firewall). > > is this correct? Has anyone set-up a VPN server behind the > > firewall, if so I would appreciate it if you can send me the > > docs of setting up the VPN server behind the firewall? Any > > pointers will be greatly appreciated. > > > > I would just have a single NIC in the VPN server myself. It > should have an internal address and should use the internal > IP of the inner firewall as its default gateway. > > There are other people on the list who run DNATed VPN servers and > hopefully one of them will respond.I run a masqueraded VPN server at this end. It has one NIC with its default gateway pointing to the shorewall based firewalls internal ip. I added the following shorewall rules: # Forward PPTP port 1723 and protocol 47 DNAT net loc:192.168.9.2 tcp 1723 DNAT net loc:192.168.9.2 gre The above works great for a single inbound VPN connection. Multiple simultainious connections would require a kernel patch. Also, is your outer firewall NAT''ing or is it simply routing/forwarding packets to your internal firewall? The reason I ask is maybe the GRE protocol cannot be double NAT''d. I don''t really know, never tried. Hopefully your forwarding packats (as is) from your outer firewall to your inner firewall. Which would mean your inner firewall would have a public ip on its external (net) interface. Thats my 2 cents Steve Cowles
Thanks Tom, I will wait to see if anyone else responds. Thanks. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, October 14, 2002 1:55 PM To: Abdul Karim Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] VPN PPTP DNAT does not work Abdul Karim wrote:> Hi Tom, > The default gateway is the internal ip address of my inner firewall. > I am not suggesting there might be a DNAT problem, I am suspecting that Iam> doing something wrong, not sure what.I suspect it is the setup of your VPN server.> > I suspect I might be setting vpn server wrong, I don''t think am totallysure> if I set-up the VPN server correctly when I moved the it to the internal > network. When the machine was not in the internal network, I had twonetwork> card, one external and one internal, but what shall I change to if I move > the machine to the internal LAN only? right now I have both nic''s having > internal ip with one having the default gateway (IP of the innerfirewall).> is this correct? Has anyone set-up a VPN server behind the firewall, if soI> would appreciate it if you can send me the docs of setting up the VPNserver> behind the firewall? Any pointers will be greatly appreciated. >I would just have a single NIC in the VPN server myself. It should have an internal address and should use the internal IP of the inner firewall as its default gateway. There are other people on the list who run DNATed VPN servers and hopefully one of them will respond. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Abdul Karim wrote:> Thanks Tom, I will wait to see if anyone else responds. >One thing you might do is: a) Try to connect to the VPN server. b) Look at the output of "shorewall show connections" You should see both a TCP 1723 connection and a GRE connection (protocol 47). If you only see the TCP 1723 then look at the state of the two sides of the connection. If you see SYN_SENT then you have a routing problem WRT the VPN server. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > One thing you might do is: > > a) Try to connect to the VPN server. > b) Look at the output of "shorewall show connections" > > You should see both a TCP 1723 connection and a GRE connection (protocol > 47). If you only see the TCP 1723 then look at the state of the two > sides of the connection. If you see SYN_SENT then you have a routing > problem WRT the VPN server. >And you are testing from a client host that is outside the inner firewall, right? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
yes I am trying to connect to the VPN server from outside my network using dial-up. I can connect to the vpn server from internal network, than I am using dial connection to go outside and connect to the external ip (which is being used for dnat). I will try what you suggested. Thanks. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, October 14, 2002 4:49 PM To: Abdul Karim Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] VPN PPTP DNAT does not work Tom Eastep wrote:> > One thing you might do is: > > a) Try to connect to the VPN server. > b) Look at the output of "shorewall show connections" > > You should see both a TCP 1723 connection and a GRE connection (protocol > 47). If you only see the TCP 1723 then look at the state of the two > sides of the connection. If you see SYN_SENT then you have a routing > problem WRT the VPN server. >And you are testing from a client host that is outside the inner firewall, right? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Steve Cowles wrote:> > There are other people on the list who run DNATed VPN servers and > > hopefully one of them will respond. > > I run a masqueraded VPN server at this end. It has one NIC with itsdefault> gateway pointing to the shorewall based firewalls internal ip. I added the > following shorewall rules: > > # Forward PPTP port 1723 and protocol 47 > DNAT net loc:192.168.9.2 tcp 1723 > DNAT net loc:192.168.9.2 gre > > The above works great for a single inbound VPN connection. Multiple > simultainious connections would require a kernel patch.I''ve got the same setup--internal masqueraded VPN server--and the same rules, and I can verify that it works for _multiple_ inbound connections (we''ve got three active connections right now). I believe that it''s multiple _outbound_ connections to the _same_ external server that require a patch (according to <http://shorewall.net/PPTP.htm>), but I haven''t tried it.> Also, is your outer firewall NAT''ing or is it simply routing/forwarding > packets to your internal firewall? The reason I ask is maybe the GRE > protocol cannot be double NAT''d. I don''t really know, never tried.Hopefully> your forwarding packats (as is) from your outer firewall to your inner > firewall. Which would mean your inner firewall would have a public ip onits> external (net) interface.I run PPTP VPN through two NAT-ing firewalls (home Win2K-> home Shorewall->work Shorewall->work VPN server), and it works fine-- no worries. I agree with Tom on this one--the firewall rules he recommended work fine for me, so it''s probably a VPN server configuration issue. There''s not a whole lot to configure on Microsoft''s RAS server, so I''d look at the TCP/IP configuration first. Can you see the outside network from the VPN server (i.e. ping/web browse from it)? - Bradey
Hi Tom, Yes "shorewall show connections" only shows the 1723 traffic witn SYN_SENT, no GRE. Any ideas how I resolve this? I can ping from the inner firewall to the VPN server and vice vesa. Do I need to had any other static route? Thanks. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, October 14, 2002 4:42 PM To: Abdul Karim Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] VPN PPTP DNAT does not work Abdul Karim wrote:> Thanks Tom, I will wait to see if anyone else responds. >One thing you might do is: a) Try to connect to the VPN server. b) Look at the output of "shorewall show connections" You should see both a TCP 1723 connection and a GRE connection (protocol 47). If you only see the TCP 1723 then look at the state of the two sides of the connection. If you see SYN_SENT then you have a routing problem WRT the VPN server. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Abdul Karim wrote:> Hi Tom, > Yes "shorewall show connections" only shows the 1723 traffic witn SYN_SENT, > no GRE. Any ideas how I resolve this? I can ping from the inner firewall to > the VPN server and vice vesa. Do I need to had any other static route? >Can you ping to www.shorewall.net from the VPN server? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Bradey Honsinger wrote:> Steve Cowles wrote: > >>>There are other people on the list who run DNATed VPN servers and >>>hopefully one of them will respond. >> >>I run a masqueraded VPN server at this end. It has one NIC with its > > default > >>gateway pointing to the shorewall based firewalls internal ip. I added the >>following shorewall rules: >> >># Forward PPTP port 1723 and protocol 47 >>DNAT net loc:192.168.9.2 tcp 1723 >>DNAT net loc:192.168.9.2 gre >> >>The above works great for a single inbound VPN connection. Multiple >>simultainious connections would require a kernel patch. > > > I''ve got the same setup--internal masqueraded VPN server--and the > same rules, and I can verify that it works for _multiple_ inbound > connections (we''ve got three active connections right now). > I believe that it''s multiple _outbound_ connections to the _same_ > external server that require a patch (according to > <http://shorewall.net/PPTP.htm>), but I haven''t tried it. >The restriction is that you can''t have two connections from the same IP address without the kernel patch. Note that PoPToP doesn''t support two connections from the same IP even then but the MS RAS server does. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> The restriction is that you can''t have two connections from > the same IP address without the kernel patch. Note that > PoPToP doesn''t support two connections from the same IP even > then but the MS RAS server does.FWIW: if your using an MS based PPTP server... consider checking out the following security advisory: http://online.securityfocus.com/archive/1/293146/2002-09-24/2002-09-30/0 Based on other threads I have followed, PoPToP does not seem vulnerable to this exploit. Steve Cowles
It''s working now, thanks for your help Tom. I did have a routing problem. When had two nic''s, I had add a key in the registry called DontAddDefualtGateway, which is why I wasn''t able to route into the vpn server from outside, but only from inside. I was a bit confused on how the VPN server worked behind the firewall, but it''s much clearer to me now. Thanks for you help. Karim -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, October 14, 2002 7:06 PM To: Abdul Karim Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] VPN PPTP DNAT does not work Abdul Karim wrote:> Hi Tom, > Yes "shorewall show connections" only shows the 1723 traffic witnSYN_SENT,> no GRE. Any ideas how I resolve this? I can ping from the inner firewallto> the VPN server and vice vesa. Do I need to had any other static route? >Can you ping to www.shorewall.net from the VPN server? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net