Hello fellow Shorewall users,
I hope you can anwser this question. I got a really strange VPN problem and
I
hope you can help me with this one. I''m running Shorewall 1.3.14 on an
upgraded
RedHat 7.0 installation with kernel 2.4.19 and iptables v1.2.7a.
I''ve configured shorewall to forward all incoming VPN connections to
our
Windows 2000 server using the document PPTP and especially the information
in "PPTP Server Running Behind your Firewall" with a single external
IP-address.
These are the rules I''ve configured in /etc/shorewall/rules :
DNAT net loc:10.10.10.5 tcp 1723
DNAT net loc:10.10.10.5 47 -
This works when only 1 client connects using VPN (Win9x, Win2k and Win XP)
but when the 2nd client connects the loginscreen, which checks the username
and/or
password, on the client "hangs" and gives a timeout error that the
server
didn''t respond.
First I thought it was a small configure error but I''ve reproduced this
problem on a new
configured RH8.0 system with the same Shorewall version. Login in using VPN
directly
(from the internal network) works, so it''s definately not a client or
Remote
Access
configuration error (at least that is what I think).
I''ve look into my messages log (and with dmesg) but I can''t
find any drops
what
so ever. I reccon that the login procedure hangs because the frames is
transmitted
to the first connection. I even can''t find a message in the eventviewer
and/or Remote
Access logs on the Windows 2000 server (with maximum logging enabled).
To give more information about my system setup, I''ve enclosed the
following
:
-- ip addr show --
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:01:02:b8:5c:53 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.1/24 brd 10.10.10.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:10:5a:64:ac:e6 brd ff:ff:ff:ff:ff:ff
inet 212.142.7.44/25 brd 212.142.7.127 scope global eth1
4: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
-- ip route show --
212.142.7.0/25 dev eth1 proto kernel scope link src 212.142.7.44
10.10.10.0/24 dev eth0 proto kernel scope link src 10.10.10.1
127.0.0.0/8 dev lo scope link
default via 212.142.7.1 dev eth1
Is this behavior known? And does somebody have a sollution for this problem.
Any help is appreciated!
Your sincerely,
Niels Wagenaar
The Netherlands
On Fri, 2003-08-15 at 13:40, Niels Wagenaar wrote:> Hello fellow Shorewall users, > > I hope you can anwser this question. I got a really strange VPN problem and > I > hope you can help me with this one. I''m running Shorewall 1.3.14 on an > upgraded > RedHat 7.0 installation with kernel 2.4.19 and iptables v1.2.7a. > > I''ve configured shorewall to forward all incoming VPN connections to our > Windows 2000 server using the document PPTP and especially the information > in "PPTP Server Running Behind your Firewall" with a single external > IP-address. > > These are the rules I''ve configured in /etc/shorewall/rules : > > DNAT net loc:10.10.10.5 tcp 1723 > DNAT net loc:10.10.10.5 47 - > > This works when only 1 client connects using VPN (Win9x, Win2k and Win XP) > but when the 2nd client connects the loginscreen, which checks the username > and/or > password, on the client "hangs" and gives a timeout error that the server > didn''t respond.Are the client''s you are trying to connect from all behind the same MASQ/NAT gateway? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Niels Wagenaar" <niels@nwagenaar.demon.nl> Sent: Friday, August 15, 2003 11:02 PM Subject: Re: [Shorewall-users] VPN problem (Shorewall 1.3)> -- SNIP -- > > For this to work, you need the PPTP connection-tracking/NAT patches. If > the remote end is also a linux-2.4 gateway, it will also need those > patches. The patches are available via Patch-O-Matic from the Netfilter > site. > > WARNING: I''ve personally had poor experience with the patches but I just > tried a couple of the CVS snapshots so they may have had other problems. >Are these patches in the extra or in the base switch with Patch-O-Matic? And which patch is the one I need exactly? Will a kernel upgrade to kernel 2.4.21 fix it? Or am I *really* bound to the Patch-O-Matic? Your warning gives me the creeps :)> -TomRegards, Niels Wagenaar The Netherlands
On Fri, 15 Aug 2003, Niels Wagenaar wrote:> > > > > WARNING: I''ve personally had poor experience with the patches but I just > > tried a couple of the CVS snapshots so they may have had other problems. > > > > Are these patches in the extra or in the base switch with Patch-O-Matic? > And which patch is the one I need exactly? >Niels, I don''t know the answers to your questions without digging through Patch-O-matic myself. Seems like since you need the patches, it is you who should do that.> Will a kernel upgrade to kernel 2.4.21 fix it? Or am I *really* bound to > the Patch-O-Matic? Your warning gives me the creeps :) >The patches are not included in 2.4.21 -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I uses this patches and i got no problem with them. It was hard to install them (yepp it was my fault it was hard) but when they was installed there was no more problem. /Rickard Niels Wagenaar wrote:>----- Original Message ----- >From: "Tom Eastep" <teastep@shorewall.net> >To: "Niels Wagenaar" <niels@nwagenaar.demon.nl> >Sent: Friday, August 15, 2003 11:02 PM >Subject: Re: [Shorewall-users] VPN problem (Shorewall 1.3) > > > > >>-- SNIP -- >> >>For this to work, you need the PPTP connection-tracking/NAT patches. If >>the remote end is also a linux-2.4 gateway, it will also need those >>patches. The patches are available via Patch-O-Matic from the Netfilter >>site. >> >>WARNING: I''ve personally had poor experience with the patches but I just >>tried a couple of the CVS snapshots so they may have had other problems. >> >> >> > >Are these patches in the extra or in the base switch with Patch-O-Matic? >And which patch is the one I need exactly? > >Will a kernel upgrade to kernel 2.4.21 fix it? Or am I *really* bound to >the Patch-O-Matic? Your warning gives me the creeps :) > > > >>-Tom >> >> > >Regards, > >Niels Wagenaar >The Netherlands > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Niels Wagenaar" <niels@nwagenaar.demon.nl> Cc: <shorewall-users@lists.shorewall.net> Sent: Saturday, August 16, 2003 2:41 AM Subject: Re: [Shorewall-users] VPN problem (Shorewall 1.3)> -- SNIP! -- > > Niels, I don''t know the answers to your questions without digging through > Patch-O-matic myself. Seems like since you need the patches, it is you who > should do that. >It was rather easy, it didn''t work on a clean kernel 2.4.19 but it worked without problems on 2.4.20. I first installed the pending and then the pptp-conntrack patch. It was rather easy. Still, after applying the patch (I compiled the patch(es) as modules) I found out that if I use the modules, no user can login using VPN. Without the modules one user can login through VPN but the 2nd person can''t. I''m going to try the CVS checkout I did 5 minutes back, maybe this will work correctly. BTW, for the order. I''m trying to connect multiple VPN connections from the Internet to a VPN server *behind* the firewall. Connections are made using the DNAT rules I posted earlier. Maybe I saw it incorrectly, but isn''t the patch meant for connection multiple VPN clients from within the network to VPN servers on the internet using the Firewall?> > -Tom >Regards, Niels Wagenaar The Netherlands
sdlemu wrote:> Maybe I saw it incorrectly, but isn''t the patch meant for connection > multiple VPN clients from within the network to VPN servers on the > internet using the Firewall?That''s my understanding of the PPTP conntrack patch. Steve Cowles
----- Original Message ----- From: "Cowles, Steve" <steve@stevecowles.com> To: <shorewall-users@lists.shorewall.net> Sent: Saturday, August 16, 2003 2:48 PM Subject: RE: [Shorewall-users] VPN problem (Shorewall 1.3)> sdlemu wrote: > > Maybe I saw it incorrectly, but isn''t the patch meant for connection > > multiple VPN clients from within the network to VPN servers on the > > internet using the Firewall? > > That''s my understanding of the PPTP conntrack patch. >This is then not what I needed. I want to connect multiple VPN clients from the Internet to my VPN server that''s *behind* the firewall. Is there a patch or a work around for this? BTW, I upgraded to kernel 2.4.20, iptables 1.2.8 and shorewall 1.4.6b.> Steve CowlesNiels Wagenaar The Netherlands
Hello,> This is then not what I needed. I want to connect multiple VPN clients > from the Internet to my VPN server that''s *behind* the firewall.Tom said: For this to work, you need the PPTP connection-tracking/NAT patches. If>>the remote end is ALSO a linux-2.4 gateway, it will also need those >>patches. The patches are available via Patch-O-Matic from the Netfilter >>site.What I think matters here is that you are in fact trying to channel multiple vpn/pptp connections through a linux/unix/varinant Kernel via natting. Whether this is Static Nat or DNAT. Whether the connections are initiated from behind the firewall or from the internet through the firewall to the vpn/pptp server you will still need this patch from what I understand unless you have public ip''s assigned to the vpn/pptp server and no nat envolved. I think that when NAT gets involved is where this breaks so to say, only allowing one connection. If I''m wrong please let me know. I''m going to be setting up the same type of senario in a month or so. Thanks, JBanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com