Re: vpn-forwaring

To: debian-user@lists.debian.org
Subject: Re: vpn-forwaring
From: Joe <joe@jretrading.com>
Date: Fri, 24 Sep 2010 21:27:23 +0100
Message-id: <[🔎] 4C9D09AB.1010902@jretrading.com>
In-reply-to: <[🔎] 4c9c90cc.c706df0a.2430.2deb@mx.google.com>
References: <[🔎] 4c9c90cc.c706df0a.2430.2deb@mx.google.com>

On 24/09/10 12:51, Sthu Deus wrote:

Good day.

Which modules I should insmod in order to make working a vpn forwarding
on a firewall from a local host (a M$ machine) to a outer host (the vpn
server)?

I have rules in iptables like this:

-A FORWARD -p tcp -s 192.168.0.0/24 â€“dport 1723 -d
VPN_SERVER_IP -j ACCEPT

You also need the same forwarding for the GRE tunnel (IP protocol 47)(the conntrack modules just record links between protocols, they don'tadd forwarding by themselves):

-A FORWARD -p 47 -s 192.168.0.0/24 -d VPN_SERVER_IP -j ACCEPT


Now I need to load something like

ip_nat_pptp
ip_conntrack_proto_gre
ip_conntrack_pptp

But I found not ether of them in Debian 5 stable. So, what should I do
for the forwarding?

Good question. I suspect if you install iptables, Debian will add thecommon conntrack modules by itself, and some may now be built into thecore netfilter code. I'm fairly sure I don't have any explicitconfiguration, but lsmod shows nf_conntrack and a number of other nf_and iptables related modules installed. Add the GRE forwarding first,and see if that works.

Have you checked whether the VPN works without a firewall in between?The PPTP VPN has a large number of variables, and it is worth knowingfor sure that the client and server talk together before you trydebugging the firewall, especially if they are different operatingsystems. Conversely, if you have VPN troubles later, an iptablesfirewall with logging rules added in both directions is an excellenttroubleshooting tool.

If you aren't familiar with the MS PPTP VPN, the first contact is madeusing TCP/1723, over which the GRE encryption negotiation occurs. Thefirst data sent through the tunnel is the user authentication handshake,so if the user is seeing a claim that the VPN is connected but thenthere is a timeout after a failure to authenticate, this is a sign thatTCP/1723 is OK, but GRE is not.

By the way, if you connect VPNs between different sites, watch the IPnetwork address, which must be different for all client-server pairs.The 192.168.0., 192.168.1. and 192.168.16. networks are in very commonuse, and you might want to avoid them.


--
Joe

Reply to:

Follow-Ups:
- Re: vpn-forwaring
  - From: Sthu Deus <sthu.deus@gmail.com>

References:
- vpn-forwaring
  - From: Sthu Deus <sthu.deus@gmail.com>

Prev by Date: Re: To enable the power management mechanism
Next by Date: Re: To enable the power management mechanism
Previous by thread: Re: vpn-forwaring
Next by thread: Re: vpn-forwaring
Index(es):
- Date
- Thread