Shorewall users - Jul 2003 - VPN woes

Hi.

I am running a Red Hat 9.0 box with kernel 2.4.20-18.x and I have been able
to set up a VPN server on the firewall to allow our road warriors acesss our
LAN from the outside. Using Shorewall 1.4.5 (soon to be upgraded to
shorewall 1.4.6). Now when our internal Lan users connect to an external VPN
server, only one connection is possible. Thanks to the FAQ at Shorewall.net
for providing the info. Now I have been trying to compile a stock red hat
kernel 2.4.20-19.6 with the ip_conntrack_pptp patch using patch-o-matic from
netfilter. The patches seem to apply fine. In addition to this patch, I
wanted to apply the openssl mppe patch. This is where I am not sure if the
Red Hat kernel sources are already patched for this. I read on the VPN
masquerading page that kernels 2.4 should have this. Has anyone tried to do
the above with Shorewall and has it worked. If it has worked can this person
point me on how to get this going ?

Specifically, I would need the versions of OpenSSL-MPPE patch that they used
and the ip_conntrack_pptp.patch they used. As I have only Red Hat Kernel I
am specifically looking for success with this distribution.

Sincerely,

A Shorewall fan (user since version 1.3)

Bharath

hi!!


i m try this configuration but with kernel 2.4.20-18.7 and iptables 1.2.5 with
patchomatic latest and work fine, but with kernel 2.4.20-19.7 shorewall reject
gre protocol

i use rh 73


Mensaje citado por "Bharath S. Narayan"
<bnarayan@raidworks.com>:
> Hi.
> 
> I am running a Red Hat 9.0 box with kernel 2.4.20-18.x and I have been able
> to set up a VPN server on the firewall to allow our road warriors acesss
> our
> LAN from the outside. Using Shorewall 1.4.5 (soon to be upgraded to
> shorewall 1.4.6). Now when our internal Lan users connect to an external
> VPN
> server, only one connection is possible. Thanks to the FAQ at Shorewall.net
> for providing the info. Now I have been trying to compile a stock red hat
> kernel 2.4.20-19.6 with the ip_conntrack_pptp patch using patch-o-matic
> from
> netfilter. The patches seem to apply fine. In addition to this patch, I
> wanted to apply the openssl mppe patch. This is where I am not sure if the
> Red Hat kernel sources are already patched for this. I read on the VPN
> masquerading page that kernels 2.4 should have this. Has anyone tried to do
> the above with Shorewall and has it worked. If it has worked can this
> person
> point me on how to get this going ?
> 
> Specifically, I would need the versions of OpenSSL-MPPE patch that they
> used
> and the ip_conntrack_pptp.patch they used. As I have only Red Hat Kernel I
> am specifically looking for success with this distribution.
> 
> Sincerely,
> 
> A Shorewall fan (user since version 1.3)
> 
> Bharath
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Fri, 2003-07-25 at 09:50, Bharath S. Narayan wrote:
> Hi.
> 
> I am running a Red Hat 9.0 box with kernel 2.4.20-18.x and I have been able
> to set up a VPN server on the firewall to allow our road warriors acesss
our
> LAN from the outside. Using Shorewall 1.4.5 (soon to be upgraded to
> shorewall 1.4.6). Now when our internal Lan users connect to an external
VPN
> server, only one connection is possible. Thanks to the FAQ at Shorewall.net
> for providing the info. Now I have been trying to compile a stock red hat
> kernel 2.4.20-19.6 with the ip_conntrack_pptp patch using patch-o-matic
from
> netfilter. The patches seem to apply fine. In addition to this patch, I
> wanted to apply the openssl mppe patch. This is where I am not sure if the
> Red Hat kernel sources are already patched for this. I read on the VPN
> masquerading page that kernels 2.4 should have this. Has anyone tried to do
> the above with Shorewall and has it worked. If it has worked can this
person
> point me on how to get this going ?
I would use the kernelmod package available at
http://pptpclient.sourceforge.net. The PPTP connection tracking is NOT
in the standard RedHat kernels.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom,
Thanks for the pointer. Hmm interesting, I had used it for my laptop but
never thought that I could use it for the server. I always thought the
kernel needs to be patched for mppe . Ok this answers the first part of not
applying the mppe patch. What about he ip_conntrack_pptp ? 
"The PPTP connection tracking is NOT in the standard RedHat kernels."
Meaning that I have to apply the patch from net filter using patch-o-matic ?
Thx
Bharath
-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Friday, July 25, 2003 3:05 PM
To: Bharath S. Narayan
Cc: shorewall-users@lists.shorewall.net
Subject: Re: [Shorewall-users] VPN woes

On Fri, 2003-07-25 at 09:50, Bharath S. Narayan wrote:
> Hi.
> 
> I am running a Red Hat 9.0 box with kernel 2.4.20-18.x and I have been
able
> to set up a VPN server on the firewall to allow our road warriors acesss
our
> LAN from the outside. Using Shorewall 1.4.5 (soon to be upgraded to
> shorewall 1.4.6). Now when our internal Lan users connect to an external
VPN
> server, only one connection is possible. Thanks to the FAQ at
Shorewall.net
> for providing the info. Now I have been trying to compile a stock red hat
> kernel 2.4.20-19.6 with the ip_conntrack_pptp patch using patch-o-matic
from
> netfilter. The patches seem to apply fine. In addition to this patch, I
> wanted to apply the openssl mppe patch. This is where I am not sure if the
> Red Hat kernel sources are already patched for this. I read on the VPN
> masquerading page that kernels 2.4 should have this. Has anyone tried to
do
> the above with Shorewall and has it worked. If it has worked can this
person
> point me on how to get this going ?
I would use the kernelmod package available at
http://pptpclient.sourceforge.net. The PPTP connection tracking is NOT
in the standard RedHat kernels.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 2003-07-25 at 16:02, Bharath S. Narayan wrote:
> Tom,
> Thanks for the pointer. Hmm interesting, I had used it for my laptop but
> never thought that I could use it for the server. I always thought the
> kernel needs to be patched for mppe . Ok this answers the first part of not
> applying the mppe patch. What about he ip_conntrack_pptp ? 
> "The PPTP connection tracking is NOT in the standard RedHat
kernels."
> Meaning that I have to apply the patch from net filter using patch-o-matic
?
That''s correct.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 2003-07-25 at 16:08, Bharath S. Narayan wrote:
> Sorry to bug you. Since you seem to have done it before I take it.  I get
> the kernel source apply the kernelmod for mppe and then run patch-o-matic ?
> Just making sure I don''t run into a SNAFU again. I have only tried
to
> compile 5 times thus far and failing each time.
As I said in an earlier post, I''ve not been able to build a kernel with
patch-o-matic pptp support that ran more than 5 minutes without
freezing. And I''ve never tried to apply both kernelmod and
patch-o-matic.

Sorry,
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 25 Jul 2003, Tom Eastep wrote:
> On Fri, 2003-07-25 at 16:08, Bharath S. Narayan wrote:
> > Sorry to bug you. Since you seem to have done it before I take it.  I
get
> > the kernel source apply the kernelmod for mppe and then run
patch-o-matic ?
> > Just making sure I don''t run into a SNAFU again. I have only
tried to
> > compile 5 times thus far and failing each time.
>
> As I said in an earlier post, I''ve not been able to build a kernel
with
> patch-o-matic pptp support that ran more than 5 minutes without
> freezing. And I''ve never tried to apply both kernelmod and
> patch-o-matic.
>
In theory, you should be able to apply the changes in either order.

-Tom
=Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi,

As of last week, I''ve seen in the openvpn mailing list, it seems
openvpn
is also ported to windows now.. (still in early beta but that''s not bad
is it .. :) )

http://openvpn.sourceforge.net and shorewall, a winning combination here
;)


Greetings,
Kristof.

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of
Bharath S. Narayan
Sent: vrijdag 25 juli 2003 18:51
To: shorewall-users@lists.shorewall.net
Subject: [Shorewall-users] VPN woes


Hi.

I am running a Red Hat 9.0 box with kernel 2.4.20-18.x and I have been
able to set up a VPN server on the firewall to allow our road warriors
acesss our LAN from the outside. Using Shorewall 1.4.5 (soon to be
upgraded to shorewall 1.4.6). Now when our internal Lan users connect to
an external VPN server, only one connection is possible. Thanks to the
FAQ at Shorewall.net for providing the info. Now I have been trying to
compile a stock red hat kernel 2.4.20-19.6 with the ip_conntrack_pptp
patch using patch-o-matic from netfilter. The patches seem to apply
fine. In addition to this patch, I wanted to apply the openssl mppe
patch. This is where I am not sure if the Red Hat kernel sources are
already patched for this. I read on the VPN masquerading page that
kernels 2.4 should have this. Has anyone tried to do the above with
Shorewall and has it worked. If it has worked can this person point me
on how to get this going ?

Specifically, I would need the versions of OpenSSL-MPPE patch that they
used and the ip_conntrack_pptp.patch they used. As I have only Red Hat
Kernel I am specifically looking for success with this distribution.

Sincerely,

A Shorewall fan (user since version 1.3)

Bharath

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm