[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Problem with VPN: Win98 -> Linux/NAT -> Windows2000

The problem is solved :)

The firewall used an aliased IP for the VPN forwarding, something that
caused some return packages to use the aliased IP number as sender address,
and some return packages to use the primary IP number as sender address. I
don't know why it worked with Windows 2000 clients - but when I changed the
VPN masquerading to use the primary IP address - everything worked as


-----Original Message-----
From: Jarle Aase [mailto:jgaa@jgaa.com]
Sent: Thursday, August 24, 2000 2:53 AM
To: debian-firewall@lists.debian.org
Subject: Problem with VPN: Win98 -> Linux/NAT -> Windows2000

I have a strange problem getting VPN from Windows 98 working.

The setup is like this:

  Win98 VPN connection
  Win98 ISDN connection to ISP
    (Valid Internet IP number)
    (eth0 Valid Internet IP number)
  Debian GNU Linux "potato"/Kernel 2.2.17 firewall with masquerading/NAT.
    (eth1 Private IP Number)
    (Private IP number)
  Windows 2000 Server with Routing and VPN services)

The Linux kernel is patched with the pptp patch, and compiled with GRE and
PPTP support, IP aliasing, Firewall options ...)

When I try to connect from Windows 98, i get a "the remote machine is not
responding" error message. According to the firewall log and tcpdump, this
is not entirely true, as the tcp connection works fine. The GRE packages
are sent from the Windows 98 machine to the VPN server, and GRE packages
are masqueraded and sent back.

If I use a Windows 2000 client in stead of Windows 98, I get a VPN
connection without any problems, using exactly the same setup.

The following is a short summary of my tests:

  Win98 -> ISP -> Linux firewall -> Windows 2000 VPN server: Nope
  Win2000 -> ISP -> Linux firewall -> Windows 2000 VPN server: ok
  Win98 -> ISP -> Windows 2000 VPN server: ok

tcpdump shows different patterns for win98 client connections and Windows
2000 client connections. The first 7 packages are similar, but then there
is a TCP package in the Windows 2000 connection that are "missing" in the
Windows 98 connection: "00:29:01.986489 s01i30-0586.no.powertech.net.1215 >
my.firewall.net.1723: P 325:349(24) ack 189 win 8572 (DF)". After this
there is TCP and GRE packages on the Windows 2000 connection, while the
Windows 98 connection shows 29 GRE packages, mixed with just one TCP
package, before it shows three TCP packages and a TCP reset package from
the Windows 98 machine.

If I filter out GRE packages, I get excactly the same "problem", both with
Windows98 and Windows 2000 clients, seen from the client side. This _may_
indicate that I have a routing or filtering problem with Windows 98 and GRE
return packages (the GRE packages from the Windwos 98 machine reach the VPN

If anyone have a clue on what's wrong, please speak out :)


CC: Newsgroups: comp.os.linux.networking
Jarle Aase                      email: jgaa@jgaa.com
Author of freeware.             http://www.jgaa.com
(War FTP Daemon)                news:alt.comp.jgaa

<<< no need to argue - just kill'em all! >>>

To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact

Reply to: