Linux Archive - vpn-forwaring

Linux Archive (http://www.linux-archive.org/)

- Debian User (http://www.linux-archive.org/debian-user/)

- - vpn-forwaring (http://www.linux-archive.org/debian-user/431162-vpn-forwaring.html)

Good day.

Which modules I should insmod in order to make working a vpn forwarding
on a firewall from a local host (a M$ machine) to a outer host (the vpn
server)?

I have rules in iptables like this:

-A FORWARD -p tcp -s 192.168.0.0/24 –dport 1723 -d
VPN_SERVER_IP -j ACCEPT

Now I need to load something like

ip_nat_pptp
ip_conntrack_proto_gre
ip_conntrack_pptp

But I found not ether of them in Debian 5 stable. So, what should I do
for the forwarding?

Thank You for Your time.

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4c9c90cc.c706df0a.2430.2deb@mx.google.com">http://lists.debian.org/4c9c90cc.c706df0a.2430.2deb@mx.google.com

On 24/09/10 21:51, Sthu Deus wrote:
> Good day.
>
> Which modules I should insmod in order to make working a vpn forwarding
> on a firewall from a local host (a M$ machine) to a outer host (the vpn
> server)?
>
> I have rules in iptables like this:
>
> -A FORWARD -p tcp -s 192.168.0.0/24 –dport 1723 -d
> VPN_SERVER_IP -j ACCEPT
>
> Now I need to load something like
>
> ip_nat_pptp
> ip_conntrack_proto_gre
> ip_conntrack_pptp
>
> But I found not ether of them in Debian 5 stable. So, what should I do
> for the forwarding?
>
>
> Thank You for Your time.
>
>

Output from:-
uname -r
please

And, in advance - is the vpn server linux?

Cheers

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4C9C9E45.7050001@gmail.com">http://lists.debian.org/4C9C9E45.7050001@gmail.com

On 24/09/10 12:51, Sthu Deus wrote:

Good day.

Which modules I should insmod in order to make working a vpn forwarding
on a firewall from a local host (a M$ machine) to a outer host (the vpn
server)?

I have rules in iptables like this:

-A FORWARD -p tcp -s 192.168.0.0/24 â€“dport 1723 -d
VPN_SERVER_IP -j ACCEPT

You also need the same forwarding for the GRE tunnel (IP protocol 47)
(the conntrack modules just record links between protocols, they don't
add forwarding by themselves):

-A FORWARD -p 47 -s 192.168.0.0/24 -d VPN_SERVER_IP -j ACCEPT

Now I need to load something like

ip_nat_pptp
ip_conntrack_proto_gre
ip_conntrack_pptp

But I found not ether of them in Debian 5 stable. So, what should I do
for the forwarding?

Good question. I suspect if you install iptables, Debian will add the
common conntrack modules by itself, and some may now be built into the
core netfilter code. I'm fairly sure I don't have any explicit
configuration, but lsmod shows nf_conntrack and a number of other nf_
and iptables related modules installed. Add the GRE forwarding first,
and see if that works.

Have you checked whether the VPN works without a firewall in between?
The PPTP VPN has a large number of variables, and it is worth knowing
for sure that the client and server talk together before you try
debugging the firewall, especially if they are different operating
systems. Conversely, if you have VPN troubles later, an iptables
firewall with logging rules added in both directions is an excellent
troubleshooting tool.

If you aren't familiar with the MS PPTP VPN, the first contact is made
using TCP/1723, over which the GRE encryption negotiation occurs. The
first data sent through the tunnel is the user authentication handshake,
so if the user is seeing a claim that the VPN is connected but then
there is a timeout after a failure to authenticate, this is a sign that
TCP/1723 is OK, but GRE is not.

By the way, if you connect VPNs between different sites, watch the IP
network address, which must be different for all client-server pairs.
The 192.168.0., 192.168.1. and 192.168.16. networks are in very common
use, and you might want to avoid them.

--
Joe

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4C9D09AB.1010902@jretrading.com">http://lists.debian.org/4C9D09AB.1010902@jretrading.com

Thank You for Your time and answer, Scott:

> Output from:-
> uname -r
> please

2.6.26-2-686

> And, in advance - is the vpn server linux?

At the present I do not know, nor I think the ISP would make it
known... Though I will ask them for this or their requirements besides
the sensitive data they have given us.

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4ca0802f.c971df0a.1cf2.6884@mx.google.com">http://lists.debian.org/4ca0802f.c971df0a.1cf2.6884@mx.google.com

Thank You for Your time and answer, Joe:

> You also need the same forwarding for the GRE tunnel (IP protocol 47)
> (the conntrack modules just record links between protocols, they
> don't add forwarding by themselves):
> -A FORWARD -p 47 -s 192.168.0.0/24 -d VPN_SERVER_IP -j ACCEPT

Ok, I have loaded the rule.

> Good question. I suspect if you install iptables, Debian will add the
> common conntrack modules by itself, and some may now be built into
> the core netfilter code. I'm fairly sure I don't have any explicit
> configuration, but lsmod shows nf_conntrack and a number of other nf_
> and iptables related modules installed. Add the GRE forwarding first,
> and see if that works.

This what I have loaded currently (nf_*) w/ the rules I have finaly
(Yours and mine):

nf_nat
nf_conntrack_ipv4
nf_conntrack

As follows there is no any pptp or gre -related modules.

> Have you checked whether the VPN works without a firewall in between?

Well. From a local host not yet. Fro mthe firewall - I did try w/
telnet to connect on the port - it does. Farther - I do not know whic
hcommands to use for testing though I do not think it is necessary, I
guess most important thing is to dump the connection between the server
and client in order to see which additional ports may be necessary to
forward. I have written here w/ a hope that there is some successful
experience with this MS invention (pptp) in linux. So I thought may Yo
have the knowledge: which ports to forward, whic hmodules available in
Debian for the work to load. Still if there is no such a knowledge, any
help will be appreciated.

Thanks again, Joe, for Your extended answer on my question and the MS
VPN itself. I do appreciate it much.

> If you aren't familiar with the MS PPTP VPN, the first contact is
> made using TCP/1723, over which the GRE encryption negotiation
> occurs. The first data sent through the tunnel is the user
> authentication handshake, so if the user is seeing a claim that the
> VPN is connected but then there is a timeout after a failure to
> authenticate, this is a sign that TCP/1723 is OK, but GRE is not.

Do they have in M$ windows any logging - speaking about standard VPN
client so that it will be seen the fact of connection and then
authentication process? - So that a person who seats at such a machine
can answer what they see there.

> By the way, if you connect VPNs between different sites, watch the IP
> network address, which must be different for all client-server pairs.
> The 192.168.0., 192.168.1. and 192.168.16. networks are in very
> common use, and you might want to avoid them.

Could Yuo please explain this paragraph a bit more? - I did not
understand which sites You mean and farther - on pairs.

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4ca0a79e.4411df0a.4c69.71b5@mx.google.com">http://lists.debian.org/4ca0a79e.4411df0a.4c69.71b5@mx.google.com