Re: PPTP and Firewalls
On Sun, 2003-05-11 at 11:00, [EMAIL PROTECTED] wrote: > >Does the PPTP server have a real IP address, or is there some sort of > >NAT/DNAT/SNAT being done by the firewall? > > > The PPTP server doesn't have a real IP, part of the problem for me is trying > to get the DNAT/SNAT rules working properly. As I understand it, I need to > DNAT > all GRE traffic to the PPTP server and SNAT it back again, but I can't quite > figure out the rules. You do not have to SNAT it back. have you tried testing the PPTP server from inside the network to make sure that there is no problem with the PPTP server ? HTH, Shri -- Shri Shrikumar U R Byte Solutions Tel: 0845 644 4745 I.T. Consultant Edinburgh, Scotland Mob: 0773 980 3499 Web: www.urbyte.com Email: [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: PPTP and Firewalls
>Does the PPTP server have a real IP address, or is there some sort of >NAT/DNAT/SNAT being done by the firewall? > The PPTP server doesn't have a real IP, part of the problem for me is trying to get the DNAT/SNAT rules working properly. As I understand it, I need to DNAT all GRE traffic to the PPTP server and SNAT it back again, but I can't quite figure out the rules. >What do you see with a tcpdump on the firewall, and does the server's ConfReq >actually make it to the client at all? > The tcpdump shows packets being sent into both sides of the firewall, but never coming out of it. This quite clearlt indicates that my GRE forwarding rules are wrong, but I can't figure out what the right ones are. >Can the PPTP server ping the client? > The server can ping the client IP fine, the firewall seems to work correctly for everything other than the GRE packets. >Have you explicitly allowed GRE traffic through the firewall? > I'm trying, but I think that's what I've got wrong. If you could give me some example rules that would do this, that'd be really appreciated. Thanks for the help. >t >-- >GPG : http://n12turbo.com/tarragon/public.key > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: PPTP and Firewalls
On Fri, 9 May 2003 03:16 pm, Simon Bland wrote: > I'm having some trouble setting up a PPTP VPN server behind a firewall. > > Internet - Firewall LAN (Including PPTP server) > > At the moment I'm forwarding port 1723 back to the PPTP server. I can > see the logs of the client connecting to the server, but when the server > sends it's first LCP ConfReq there is never any reply. I'm guessing > there is some sort of routing issue involved, but can't seem to get it > set up. > > The firewall and PPTP server are both running 2.4.18 kernels with iptables > and GRE tunnels set up as modules and mppe patches for the kernel and for > pppd, both are Debian stable. > > I know the VPN configs are fine as I can get it working if the VPN runs > on the firewall, but I'd really rather not have the VPN running on the > firewall if I can get around it. > > Thanks for any suggestions/help. Does the PPTP server have a real IP address, or is there some sort of NAT/DNAT/SNAT being done by the firewall? What do you see with a tcpdump on the firewall, and does the server's ConfReq actually make it to the client at all? Can the PPTP server ping the client? Have you explicitly allowed GRE traffic through the firewall? t -- GPG : http://n12turbo.com/tarragon/public.key
PPTP and Firewalls
I'm having some trouble setting up a PPTP VPN server behind a firewall. Internet - Firewall LAN (Including PPTP server) At the moment I'm forwarding port 1723 back to the PPTP server. I can see the logs of the client connecting to the server, but when the server sends it's first LCP ConfReq there is never any reply. I'm guessing there is some sort of routing issue involved, but can't seem to get it set up. The firewall and PPTP server are both running 2.4.18 kernels with iptables and GRE tunnels set up as modules and mppe patches for the kernel and for pppd, both are Debian stable. I know the VPN configs are fine as I can get it working if the VPN runs on the firewall, but I'd really rather not have the VPN running on the firewall if I can get around it. Thanks for any suggestions/help.