Colin Helliwell wrote:
Yeah, it's pretty confusing until you get your head wrapped around it. It doesn't help that lots of the information doesn't apply (like kernel patches) because it's already been done.----- Original Message ----- From: "Charles Steinkuehler" <[EMAIL PROTECTED]>Look over the VPN Masquerade HOWTO, make sure you're using the right kernel, and holler if you run into problems getting everything working. http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.htmlHmmm, that was the document I was reading, and it left me thoroughly confused! I'm not even entirely sure whether my set-up is a private- or ip-registered network (the laptop gets its IP addr from the firewall, the firewall by dhcp from my ISP, and the VPN server is a fixed address). I'll try reading through it again and try to piece it together. It may be that a major fault was me specfying the laptop's IP address instead of the firewall's - is that the 'upstream' (internet) address, or the local one (192.....)?
I don't do any VPN Masquerading myself (all my Dachstein boxes are the CD flavor and are VPN gateways themselves), but at this point, I think you should start off with some basic debugging:
Check your firewall logs (/var/log/messages) and ipchains statistics (net ipfilter list) looking for dropped or denied packets in the log, and non-zero packet counts next to ipchains rules with a drop or reject target.
IIRC, you should be able to get through IKE with nothing more than UDP masquerading enabled. You might need to open UDP port 500 to inbound traffic (use EXTERN_UDP_PORTS in network.conf). You'll also need protocol 50 opened once you get IKE working, which you can do with:
EXTERN_PROTO0="50 0/0"
in network.conf. Make sure you re-load the firewall rules after making any of these changes (net ipfilter reload), and don't forget to backup to disk once you get anything working!
You can't totally flush the firewall rules, or you won't be masquerading anymore. The above mods should be enough to let VPN traffic through, but if you want, you can insert a rule in the input chain to accept all traffic:One more WARNING: You will not be able to masquerade AH (Authenticated Header...protocol 51) VPN Traffic, if that's what your IPSec client is setup to use. This protocol authenticates *EVERYTHING* in the IP packet, including the IP header (with it's source and destination IP's), so masquerading (which replaces the source and/or destination IP field in the header) invalidates the packets. The more commenly used ESP (protocol 50) only authenticates the data portion of the IP packet, and can be successfully masqueraded.Don't know if it uses AH or ESP, but the client has a logging option, so if I can at least it get through the initial IKE exchange, then that'll be something - I may even know what I'm doing by then. Is there a simple set of steps which will just open up the firewall completely, just so I can check it with the loosest possible configuration before tightening up to specific addresses?
ipchains -I input -j ACCEPT
Make sure you delete this rule (change the -I to -D for "Delete") after testing!
If you still can't get IKE to do anything, flush the packet counters (net ipfilter reload), try to connect, then dump the firewall stats (net ipfilter list). Post *ALL* the resulting data to the list, along with any relevent log entries from /var/log/messages, and we'll see if someone can't spot what's going wrong. The output of "ip addr" and "ip route" would probably also be helpful, to verify there's not some low-level mis-configuration.
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty.
T H I N K G E E K . C O M http://www.thinkgeek.com/sf/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
