Vance:
You also forgot to mention how many IP addresses you
have. :) Okay, I'll assume one. Try this:
1. PPTP uses GRE packets (protocol 47) and TCP packets (protocol 6)
to port 1723. The GRE packets are forwarded across your
firewall with the ipfwd command, the TCP packets use the more
traditional ipmasqadm command.
2. Setup the ipfwd and ipmasqadm commands so that they forward to
a single IP address, but set this IP address to be the broadcast
address of your LAN. I've no idea if this will work. :)
3. To make these changes in echowall, edit the two PPTP lines to
look like this:
OLD
---
#PPTP#$IPMASQADM portfw -a -P tcp -L $IP_EXT 1723 -R $PPTP_HOST 1723
#PPTP#ipfwd --masq $PPTP_HOST 47 &
---
NEW
---
#PPTP#$IPMASQADM portfw -a -P tcp -L $IP_EXT 1723 -R $LAN_BCAST 1723
#PPTP#ipfwd --masq $LAB_BCAST 47 &
---
Where $LAN_BCAST is set to whatever works on your LAN,
likely something like "192.168.0.255". In fact, this command
will show you what to set it to:
ip addr show eth1 | grep inet | cut -d \ -f 4
Again, caveat emptor here: I've no idea if the higher
layer software will like this, no am I sure if a windoze boxes
TCP/IP stack will listen to a broadcast packet.
But...I know a way to find out. :) Good luck!
-Scott
> I forgot to mention that we are using PPTP on the VPN not IPSec, if
> this makes any difference.
>
> > Vance:
> > Hard to say. Obviously, you can connect multiple clients to
> > a VPN server if it's only one at a time: just switch the settings to
> > show who should be connected, and re-start.
> > But I suspect you're asking about doing it simultaneously.
> > This is tricky. In fact, I suspect it's not possible if you're using your
> > LEAF/LRP disk to NAT a single IP address to be shared with your whole
> > LAN. That is, IPsec requires the use of both ipmasqadm and ipfwd to
> > forward the TCP and AH packets across the NAT'ing firewall. I know that
> > the ipmasqadm part can only forward TCP from one IP-addresss tied to
> > the external interface to exactly one machine on your LAN. The ipfwd
> > utility, though, may be able to send it to more than one.
> >
> > So...do you have one external IP address, or a collection of
> > them (some ISPs have 5-IP-Address packages, for instance)? If only
> > one, I think the short answer is: no, this can't be done.
> > Love to be wrong, of course. If someone's gotten this to
> > work somehow, start typing. :)
> >
> > cheers,
> > Scott
> >
> > >What if I want multiple client machines behind a LRP firewall to be able
> to
> > >connect to a VPN server? The echowall rules only allow one MAC id. Or do
> > >they? Can this be done?
> > >
> > >Vance Price
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
