I have been out of town for a couple of weeks, but here is what I found out about my vpn situation.
The vpn is Microsoft vpn (pptp). I ran tcpdump on both interfaces, eth0 and eth2. At first I did not have port 1723 open. I opened that and the traffic got farther along.
It looks like the client computer from my dmz (eth2) starts sending "15:07:47.199361 xx.xxx.xxx.218 > xxx.xxx.xx.50: gre-proto-0x880B (gre encap)", but this is not passing thru to eth0.
It send this several times and then it aborts.
I have "DMZ_OUTBOUND_ALL=YES " .
In network.conf at the section "DMZ_OPEN_DEST=" I added this rule: "47_${DMZ_NET}_: "
It looks like something is missing in the OUTPUT chain, but I am not sure what to add.
What else do I need to add to allow protocol 47 traffic thru the firewall?
Thanks LaRoy McCann
At 02:14 PM 6/17/2004, you wrote:
Charles,
I am sorry for not giving any detail about where the client was connected, but you hit the nail on the head.
I am a local ISP and I am using the fire wall between my provider (Sprint) and the rest of my network. I do have 3 cards, but I am not using the internal network interface. Just eth0(internet) and eth2(proxy ARP).
Sprint <==> Local router <==> Dachstein Firewall (eth0) <==> Proxy ARP (eth2) to my network
I am not sure what type of vpn they are using. I must confess, this is the first dealings I have had with any one needing to do a VPN.
I do know that the client is a W2k box using the virtual private connection under network and dial-up connections.
I will have to check with the admin of the system they are trying to connect to if any other info is needed.
Thanks LaRoy
At 01:47 PM 6/17/2004, you wrote:
LaRoy McCann wrote:
I have a dachstein proxy arp firewall in place.
Do I have to setup ipsec or freeswan or something like that to have a windows client be able to vpn to an outside network, or should that be transparent thru the firewall?
Client is on the proxy arped side and is trying to connect using windows vpn adapter to a system on the eth0 side of the router. It gives an error when trying to verify username and password. The computer was checked on a different system and it could vpn into the remote system with no problems.
Please forgive my ignorance about vpns.
Without a diagram, I'm unclear on your exact network layout, but I'll take a stab at helping.
Assuming the following:
- You have at least a 3 interface firewall (upstream, internal, and proxy-arp DMZ).
- The system initiating the VPN link is in the proxy-arp DMZ
- The destination system you're trying to link to is somewhere on the internet (typically, eth0 is the upstream link of a LEAF firewall).
Given the above, you probably do not have rules in place allowing the VPN traffic through the firewall, which is why your VPN is failing.
Simply allowing the appropriate traffic through the firewall ought to get your VPN working, but I can't tell you exactly what ports/protocols to allow without knowing what type of VPN you're trying to create (ie: PPTP, IPSec, etc).
-- Charles Steinkuehler [EMAIL PROTECTED]
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
