Re: GRE, VPN and suchlike
What do you want to do ?
Simply use your Debian box as a firewall or use it as a VPN-accessible host
?
In the first case, just follow the directions given by Brendan. It means
opening the correct ports in ipchains and forward to your VPN server.
In the second case, I have no experience of making a Debian box a VPN-aware
server. Just ask Brendan (Sorry for the burden, Brendan ;-). Here is a copy
of what he wrote:
> Win2k clients come with Microsoft's PPTP VPN client. To set up a PPTP
> server on debian you must install Poptop - http://www.poptop.org/
>
> Then read up on how to patch pppd and the 2.2 kernel for it:
>
> http://www.vibrationresearch.com/pptpd/
>
> Or the Howto under 2.4 (including iptables rules):
>
> http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt
>
> Hope this helps.
>
> Brendan
>
Good luck !
Gregoire
----- Original Message -----
From: "Mezei Áron" <aron.mezei@cvr.hu>
To: "'Gregory Hostettler'" <ghostettler@caracal.ch>
Sent: Sunday, April 07, 2002 3:58 AM
Subject: RE: GRE, VPN and suchlike
Hi!
Can you help me a bit? I've read I think all available HOWTOs and
document about masq-ing a PPTP based VPN, but I couldn't get it work.
Maybe my PPTP server's config is not ok, but the following is the setup
and this happens:
WindowsXP
|
|
debian masq'ing between an office network and the internet
|
|
debian with pptpd installed
I've created a pptp connection in the XP to the serverver with pptpd.
in the server's ppp.log the following appears:
Apr 7 03:52:14 algernon pptpd[6254]: CTRL: Client <masq'ing ip> control
connection started
Apr 7 03:52:14 algernon pptpd[6254]: CTRL: Starting call (launching
pppd, opening GRE)
Apr 7 03:52:14 algernon pppd[6255]: pppd 2.4.1 started by root, uid 0
Apr 7 03:52:14 algernon pppd[6255]: using channel 25
Apr 7 03:52:14 algernon pppd[6255]: Using interface ppp0
Apr 7 03:52:14 algernon pppd[6255]: Connect: ppp0 <--> /dev/pts/2
Apr 7 03:52:14 algernon pppd[6255]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <auth pap> <magic 0x78565de0> <pcomp> <accomp>]
Apr 7 03:52:17 algernon pppd[6255]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <auth pap> <magic 0x78565de0> <pcomp> <accomp>]
Apr 7 03:52:20 algernon pppd[6255]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <auth pap> <magic 0x78565de0> <pcomp> <accomp>]
Apr 7 03:52:23 algernon pppd[6255]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <auth pap> <magic 0x78565de0> <pcomp> <accomp>]
Apr 7 03:52:26 algernon pppd[6255]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <auth pap> <magic 0x78565de0> <pcomp> <accomp>]
Apr 7 03:52:29 algernon pppd[6255]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <auth pap> <magic 0x78565de0> <pcomp> <accomp>]
Apr 7 03:52:32 algernon pppd[6255]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <auth pap> <magic 0x78565de0> <pcomp> <accomp>]
Apr 7 03:52:35 algernon pppd[6255]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <auth pap> <magic 0x78565de0> <pcomp> <accomp>]
Apr 7 03:52:38 algernon pppd[6255]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <auth pap> <magic 0x78565de0> <pcomp> <accomp>]
Apr 7 03:52:41 algernon pppd[6255]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <auth pap> <magic 0x78565de0> <pcomp> <accomp>]
Apr 7 03:52:44 algernon pppd[6255]: LCP: timeout sending
Config-Requests
Apr 7 03:52:44 algernon pppd[6255]: Connection terminated.
Apr 7 03:52:44 algernon pppd[6255]: Exit.
Apr 7 03:52:44 algernon pptpd[6254]: Error reading from pppd:
Input/output error
Apr 7 03:52:44 algernon pptpd[6254]: CTRL: GRE read or PTY write failed
(gre,pty)=(6,5)
Apr 7 03:52:44 algernon pptpd[6254]: CTRL: Client <masq'ing ip> control
connection finished
So I don't know what could be the problem.
If you can help me and if you have some time for my problem please
answer me.
Thanks a lot!
Aron Mezei
-----Eredeti üzenet-----
Feladó: Gregory Hostettler [mailto:ghostettler@caracal.ch]
Küldve: 2002. április 5. 15:58
Címzett: Brendan Lewis
Másolatot kap: debian-isp@lists.debian.org
Tárgy: Re: GRE, VPN and suchlike
It was sooooo simple !
Just use [iptables] ipchains to setup the rules and we have a nice
passthrough !
THANKS a lot, everything works perfectly now !
Greg
> Hi Gregiore,
>
> Gregoire Hostettler wrote:
> > Thank you, Brendan,
> >
> > This is a good starting point.
> >
> > But will this package implement GRE (port 47) ? Just because I need
> > to install the Linmux box as a firewall. In fact it is already a fw.
> > What I need is just to make VPN encapsulated packets to go through
> > the firewall to the VPN server which is located in the inside LAN.
>
> If all you want to do is forward PPTP packets to an internal (public
> IP) PPTP VPN server that's easy. Under kernel 2.4:
>
> # For the initial PPTP authentication
> iptables -A INPUT -p TCP -s <your VPN server> --dport 1723 -j ACCEPT
> iptables -A INPUT -p TCP -d <your VPN server> --sport 1723 -j ACCEPT
>
> # Then for forwarding GRE
> iptables -A INPUT -p 47 -s <your VPN server> -j ACCEPT iptables -A
> INPUT -p 47 -d <your VPN server> -j ACCEPT
>
> If you want to masquerade PPTP packets to an internal (private IP)
> PPTP server then read this howto:
>
> http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html
>
> However, this only covers kernels 2.0 and 2.2. I haven't tried doing
> this under 2.4 yet.
>
> >
> > And do I need samba ? I want to keep my Debian fw with as few
> > daemons as possible, as you can guess ;-)
> >
>
> You only need Samba if you want to provide Windows file and printer
> sharing on the firewall itself. PPTP does not require Samba.
>
> > Anyway THANK YOU for your help !
>
> No problems. Hope this helps!
>
> Brendan
>
--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: