[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


Jens Hafner, 2002-Aug-11 17:40 +0200:
> Hi,
> I'm trying to connect my Win2k professional Laptop to my company's VPN.
> I am using the "Nortel Extranet Access Client V02_62.33", which uses the
> IPSec protocol. Everything just works fine as long as the laptop is
> directly connected to the Internet (e.g. by a dialup connection). Things
> start to break as soon as I connect the laptop to my private network
> ( whose default gateway is a debian (woody, kernel
> 2.2.19) box. I configured the gateway to accept protocol 50 packages and
> port 500 connections in the following way:
> ----------%<---------------%<-----------------%<---------
> /sbin/ipchains -I input -p udp --dport 500 --sport 500 -j ACCEPT
> /sbin/ipchains -I output -p udp --dport 500 --sport 500 -j ACCEPT
> /sbin/ipchains -I input -p 50 -j ACCEPT
> /sbin/ipchains -I output -p 50 -j ACCEPT
> ----------%<---------------%<-----------------%<---------
> I also configured the kernel to masquerade all packages:
> ----------%<---------------%<-----------------%<---------
> /sbin/ipchains -A forward -s -j MASQ
> ----------%<---------------%<-----------------%<---------
> The extranet client always gives me an error message like:
> "BannerSock: The attempt to connect timed out without establishing a
> connection". I couldn't find any documentation covering this case on the
> net. All I found were lots of documents where the Linux box was one end
> of the VPN connection itself but none covered my case in which the
> debian box only masquerades and forwards the encrypted packages packets.
> My questions are: Am I misconfiguring anything?
> I am using the original kernel. Do I need to patch the kernel?
> Thanks for your help
> Jens


I too use the Nortel Client, both the Windows 2000 one and the Linux
(Netlock) client.  It works perfectly from my private network
( through my gateway.  I can even have multiple PC's
with a client running at the same time.  

The gateway runs Woody 3.0 with a 2.4.18 kernal with iptables.  I have
2 nics, one on the public side connected to a cable modem (eth0) and
the other on the private side connected to a hub with some other PC's
(eth1).  Here's my nat policy:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

I have some other rules that allow web and ssh, but nothing specified
for IPSec.  The statefullness of the iptables firewall makes this work
perfectly.  I don't know enough about ipchains in the 2.2 kernel to
help with that.  I can only suggest getting the 2.4 kernel running
since that's how it works for me.


Jeff Coppock		Systems Engineer
Diggin' Debian		Admin and User

Reply to: