Poptop and shorewall
I'm attempting to set up a poptop VPN server, on a system acting as a
NAT firewall (running shorewall). The idea is, of course, to allow systems logging into the
VPN access to the network behind the firewall.
There's lots of documentation on how to do this (especially helpfull was
http://shorewall.net/PPTP.htm), and with some tweaking,
the default debian poptop configuration is working mostly right. A
windows 2000 client can log in, and ping hosts inside the private
network. However, VPN clients cannot ping each other. I can't figure out
if this is the intended behaviour of poptop, or a deficiency of my
shorewall configuration. I've included copies of relevant config files
below. Any insight anyone can provide will be greatly appreciated.
(As an aside, I'm aware that my VPN connections are unencrypted. For my
application, that isn't important.)
Thanks, Philip Bock
/etc/pptpd.conf:
----------------
speed 115200
option /etc/ppp/pptpd-options
localip 192.168.1.100
remoteip 192.168.1.101-110
/etc/ppp/pptp-options:
----------------------
chap-secrets
name rama
domain flamewars.org
auth
netmask 255.255.255.0
nodefaultroute
proxyarp
lock
/etc/shorewall/zones:
---------------------
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
dmz DMZ Demilitarized zone
vpn VPN PPTP Virtual Private Network
/etc/shorewall/interfaces:
--------------------------
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,norfc1918
loc eth1 detect
vpn ppp+ detect
/etc/shorewall/tunnels:
-----------------------
# TYPE ZONE GATEWAY GATEWAY
# ZONE
pptpserver net
/etc/shorewall/policy:
----------------------
#SOURCE DEST POLICY LOG
# LEVEL
loc net ACCEPT
fw net ACCEPT
loc fw ACCEPT
fw loc ACCEPT
fw vpn ACCEPT
vpn fw ACCEPT
loc vpn ACCEPT
vpn loc ACCEPT
net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
Reply to: