Hi all, I´m running a server that frecuently needs to open a pptp session with a remote server outside my Company. This server is running behind a Shorewall firewall and I don´t find information in Shorewall web page because there is no information in the link http://www.shorewall.net/PPTP.htm#ClientsBehind Nowadays I can connect this server with the remote one but te session is closed after 1 minute. In the /etc/shorewall/rules I have: #Conexion Remota (IPSEC) de Ecinsa ACCEPT loc:$IP_SERVER net udp 1723 ACCEPT loc:$IP_SERVER net tcp 1723 ACCEPT net loc:$IP_GALILEO udp 1723 ACCEPT net loc:$IP_GALILEO tcp 1723 And IP_SERVER is defined in /etc/shorewall/params. As I´ve said it just connect for 1 minute more or less ... I would be very greatfull to anyone could help me. Thanks very much for your attention. Miguel Velasco ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hi Miguel, the pptp needs the gre (47) protocol natted. I had this problem with a pptp-server behind the firewall, but I'm not sure if this fits to a client behind the firewll. Try this: rules: DNAT wan lan:$client:1723 tcp 1723 DNAT wan lan:$client 47 masq: $EXTIF $client This line MUST be before any other masq rules. Hope this helps! Alex On Fri, 05 Sep 2008 13:57:45 +0200, "Miguel A. Velasco" <miguel.suscripcion@gmail.com> wrote:> Hi all, I´m running a server that frecuently needs to open a pptp > session with a remote server outside my Company. This server is running > behind a Shorewall firewall and I don´t find information in Shorewall > web page because there is no information in the link > http://www.shorewall.net/PPTP.htm#ClientsBehind > > Nowadays I can connect this server with the remote one but te session is > closed after 1 minute. > In the /etc/shorewall/rules I have: > > #Conexion Remota (IPSEC) de Ecinsa > ACCEPT loc:$IP_SERVER net udp 1723 > ACCEPT loc:$IP_SERVER net tcp 1723 > ACCEPT net loc:$IP_GALILEO udp 1723 > ACCEPT net loc:$IP_GALILEO tcp 1723 > > And IP_SERVER is defined in /etc/shorewall/params. > As I´ve said it just connect for 1 minute more or less ... > > I would be very greatfull to anyone could help me. > Thanks very much for your attention. > > Miguel Velasco > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Miguel A. Velasco wrote:> Hi all, I´m running a server that frecuently needs to open a pptp > session with a remote server outside my Company. This server is running > behind a Shorewall firewall and I don´t find information in Shorewall > web page because there is no information in the link > http://www.shorewall.net/PPTP.htm#ClientsBehindhttp://www.shorewall.net/VPN.htm -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
alex@stintzing.net wrote:> Hi Miguel, > > the pptp needs the gre (47) protocol natted. I had this problem with a > pptp-server behind the firewall, but I''m not sure if this fits to a client > behind the firewll. > > Try this: > > rules: > DNAT wan lan:$client:1723 tcp 1723 > DNAT wan lan:$client 47I advise against the first rule -- the second one should cure the one-minute timeout problem.> > masq: > > $EXTIF $client >That is probably unnecessary -- without masquerading, the connection couldn''t be made in the first place. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hi all, thanks very much for your help but it is still not working properly. I can establish the conecction from my client to remote pptp server but it just work for 25 seconds .... no much more. I don´t end understanding what may I do with the 47 protocol. What is its funcition in pptp. I have tried a lot of configurations but nothing results. Now I have the folowing config in shorewall: /etc/shorewall/zones: # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 #OpenVPN Usuarios Moviles (roadWarriors) ----- #road ipv4 vpn ipv4 /etc/shorewall/interfaces: ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS loc eth0 detect dhcp net eth1 detect tcpflags,blacklist,routefilter,nosmurfs,logmartians #OpenVPN Configuration-----# vpn tun0 /etc/shorewall/masq: #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth1 eth0 /etc/shorewall/tunnels: (I have openvpn working in my firewall) #TYPE ZONE GATEWAY GATEWAY # ZONE openvpnserver:1194 net 0.0.0.0/0 /etc/shorewall/rules: ........................ # ACCEPT loc:$IP_GALILEO $FW tcp 1723 ACCEPT $FW loc:$IP_GALILEO tcp 1723 ACCEPT loc:$IP_GALILEO net tcp 1723 ACCEPT net loc:$IP_GALILEO tcp 1723 ACCEPT loc net 47 ACCEPT net loc 47 ACCEPT $FW loc 47 ACCEPT loc $FW 47 ACCEPT $FW net 47 ACCEPT net $FW 47 # ....................... DNAT net loc:$IP_GALILEO tcp 1723 DNAT net loc:$IP_GALILEO 47 ....................... Where $IP_GALILEO is defined in /etc/shorewall/params with the IP of the pptp client in my LAN. I would be very pleasant to anyone who was able to help me. Best regards, Miguel Velasco Tom Eastep escribió:> alex@stintzing.net wrote: >> Hi Miguel, >> >> the pptp needs the gre (47) protocol natted. I had this problem with a >> pptp-server behind the firewall, but I'm not sure if this fits to a >> client >> behind the firewll. >> >> Try this: >> >> rules: >> DNAT wan lan:$client:1723 tcp 1723 >> DNAT wan lan:$client 47 > > I advise against the first rule -- the second one should cure the > one-minute timeout problem. > >> >> masq: >> >> $EXTIF $client >> > > That is probably unnecessary -- without masquerading, the connection > couldn't be made in the first place. > > -Tom > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Miguel A. Velasco wrote:> Hi all, thanks very much for your help but it is still not working > properly. I can establish the conecction from my client to remote pptp > server but it just work for 25 seconds .... no much more. > I don´t end understanding what may I do with the 47 protocol. What is > its funcition in pptp. > I have tried a lot of configurations but nothing results. Now I have the > folowing config in shorewall:Please read http://www.shorewall.net/support.htm#Guidelines. We really don''t want to see your configuration files but would rather you follow the instructions in the guidelines. Thanks, -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/