Re: vpn-forwaring

To: debian-user@lists.debian.org
Subject: Re: vpn-forwaring
From: Sthu Deus <sthu.deus@gmail.com>
Date: Mon, 27 Sep 2010 21:17:02 +0700
Message-id: <[🔎] 4ca0a79e.4411df0a.4c69.71b5@mx.google.com>
In-reply-to: <[🔎] 4C9D09AB.1010902@jretrading.com>
References: <[🔎] 4c9c90cc.c706df0a.2430.2deb@mx.google.com> <[🔎] 4C9D09AB.1010902@jretrading.com>

Thank You for Your time and answer, Joe:

> You also need the same forwarding for the GRE tunnel (IP protocol 47) 
> (the conntrack modules just record links between protocols, they
> don't add forwarding by themselves):
> -A FORWARD -p 47 -s 192.168.0.0/24 -d VPN_SERVER_IP -j ACCEPT

Ok, I have loaded the rule.

> Good question. I suspect if you install iptables, Debian will add the 
> common conntrack modules by itself, and some may now be built into
> the core netfilter code. I'm fairly sure I don't have any explicit 
> configuration, but lsmod shows nf_conntrack and a number of other nf_ 
> and iptables related modules installed. Add the GRE forwarding first, 
> and see if that works.

This what I have loaded currently (nf_*) w/ the rules I have finaly
(Yours and mine):

nf_nat
nf_conntrack_ipv4
nf_conntrack

As follows there is no any pptp or gre -related modules.

> Have you checked whether the VPN works without a firewall in between?

Well. From a local host not yet. Fro mthe firewall - I did try w/
telnet to connect on the port - it does. Farther - I do not know whic
hcommands to use for testing though I do not think it is necessary, I
guess most important thing is to dump the connection between the server
and client in order to see which additional ports may be necessary to
forward. I have written here w/ a hope that there is some successful
experience with this MS invention (pptp) in linux. So I thought may Yo
have the knowledge: which ports to forward, whic hmodules available in
Debian for the work to load. Still if there is no such a knowledge, any
help will be appreciated.

Thanks again, Joe, for Your extended answer on my question and the MS
VPN itself. I do appreciate it much.

> If you aren't familiar with the MS PPTP VPN, the first contact is
> made using TCP/1723, over which the GRE encryption negotiation
> occurs. The first data sent through the tunnel is the user
> authentication handshake, so if the user is seeing a claim that the
> VPN is connected but then there is a timeout after a failure to
> authenticate, this is a sign that TCP/1723 is OK, but GRE is not.

Do they have in M$ windows any logging - speaking about standard VPN
client so that it will be seen the fact of connection and then
authentication process? - So that a person who seats at such a machine
can answer what they see there.

> By the way, if you connect VPNs between different sites, watch the IP 
> network address, which must be different for all client-server pairs. 
> The 192.168.0., 192.168.1. and 192.168.16. networks are in very
> common use, and you might want to avoid them.

Could Yuo please explain this paragraph a bit more? - I did not
understand which sites You mean and farther - on pairs.

Reply to:

References:
- vpn-forwaring
  - From: Sthu Deus <sthu.deus@gmail.com>
- Re: vpn-forwaring
  - From: Joe <joe@jretrading.com>

Prev by Date: Re: video card reccomendation
Next by Date: nvidia-kernel-2.6-amd64 vs nvidia-kernel-dkms method
Previous by thread: Re: vpn-forwaring
Next by thread: hi list
Index(es):
- Date
- Thread