[EMAIL PROTECTED] wrote:
There is a simple way to do this...run:I have been trying (unsucessfuly) to connect to a VPN server using Cisco VPN client version 3.5.1 (B). The VPN client is running on win98 machine which is networked to a Dachstein LRP box.I have found a series of e-mails in the archive from Rob Fegley dated 21 Dec 2002. Among the replies to this email is one from Colin Helliwell detailing his successful efforts by loading ip_masq_ipsec module, opening UDP 500 to the servers IP, and implementing EXTERN_PROTO0="50... and EXTERN_PROTO1="47... I have tried this and it does not work for me. My VPN log shows three attempts to send IKE, then quits without any transfer. I know that the IP address of the server is correct. I suspect that the firewall is not allowing the transfer to take place. However, I do find a udp 500 connection to the server IP in the masqued connections list using Weblet. I was wondering if there is some simple way of disabling the firewall completely for traffic to the specific IP of the VPN server and seeing what shows up in the logs. Would this be a good way to trouble shoot this problem or is there a better way.
ipchains -I input -j ACCEPT -s <Remote IP> -i <external interface>
This will allow all traffic from the Remote IP through the firewall. To remove the rule when done testing, either re-load your firewall rules (net ipfilter reload), or simply manually delete the rule (type exactly the same ipchains command as above, but replace the -I (insert) with -D (delete)).
Also, which version of Dachstein are you using? The CD-ROM comes with a kernel compiled to run IPSec on the firewall, which is reportedtly incompatible with using the IPSec masquerading helper module. The floppy-disk versions of Dachstein come with the proper kernel for masquerading IPSec, but you do have to configure the module to load.
Troubleshooting:
- Make sure the ipsec masquerading module is loaded with the lsmod command.
- Review the output of "net ipfilter list", and verify the proper UDP ports are opened. Look for non-zero byte/packet counts next to deny or reject rules, and check your firewall logs (/var/log/messages) for any indications of dropped traffic.
- If possible, check the logs on the remote end. This will tell you if your packets are getting dropped between your system and the far end, or if the far end is ignoring you for some reason (invalid authentication credentials, unknown connection description, far-end firewall rules, etc).
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.NET email is sponsored by: FREE SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
