tun0 is my ADSL connection.
rules for ipf:
pass in quick on tun0 proto 47 from 0/0 to x.x.x.x/24
pass in quick on tun0 proto 50 from 0/0 to x.x.x.x/24
pass in quick on tun0 proto 51 from 0/0 to x.x.x.x/24
pass in quick on tun0 proto tcp/udp from 0/0 to x.x.x.x/24 port = 1723
pass in quick on tun0 proto udp from 0/0 to x.x.x.x/24 port = 500
rules for ipnat:
# Redirect VPN connections to win2kserver
rdr tun0 0/0 port 1723 -> x.x.x.x port 1723 tcp
rdr tun0 0/0 port 500 -> x.x.x.x port 500 udp
rdr tun0 0/0 port 0 -> x.x.x.x port 0 47
once you've done that and reloaded your rules (ipnat -f /path/to/rule and
ipnat /path/to/rule) you should get the following when doing:
[EMAIL PROTECTED]:/home/stephen# ipnat -l
List of active MAP/Redirect filters:
rdr tun0 0.0.0.0/0 port 1723 -> x.x.x.x port 1723 tcp
rdr tun0 0.0.0.0/0 port 500 -> x.x.x.x port 500 udp
rdr tun0 0.0.0.0/0 port 0 -> x.x.x.x port 0 gre
[EMAIL PROTECTED]:/home/stephen# ipfstat -ion
@2 pass in quick on tun0 proto gre from any to x.x.x.x/24
@3 pass in quick on tun0 proto esp from any to x.x.x.x/24
@4 pass in quick on tun0 proto ah from any to x.x.x.x/24
@5 pass in quick on tun0 proto tcp/udp from any to x.x.x.x/24 port = 1723
@6 pass in quick on tun0 proto udp from any to x.x.x.x/24 port = 500
just note that i havent configured PPTP for my freebsd box, it simply
redirects to win2k server which handles everything.
On Thu, 10 Jul 2003, xjust wrote:
> Can you give me the examples to "allow IP PROTOs 47 (GRE), 50 (ESP), 51
> (AH)" ?
> My windows machine got 10.0.0.2 ip address.
> Only the freebsd machine has a real address. I know how to redirect tcp/udp
> with ipnat to the windows machine but im not sure what you mean by allow gre
> esp and ah. Give me examples how to do that please (with ipf or ipnat)
> I configured pptpd on freebsd and it works for other (windows 2000) systems
> to connect on my freebsd machine, but for some reason I get the connection
> freezed by "unknown protocol" error.
> Thanks
>
> Best regards,
> Ilie Adrian
> [EMAIL PROTECTED]
>
>
> ----- Original Message -----
> From: "stephen at unix dot za dot net" <[EMAIL PROTECTED]>
> To: "Julias P" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Thursday, July 10, 2003 1:17 PM
> Subject: Re: Windows 2000 VPN Set-Up
>
>
> >
> > Hi Jei,
> >
> > I currently have a VPN setup between two cities for my company.
> >
> > The remote pc is a windows 2000 box that dials up to it's local ISP before
> > connecting to head office (where i am) which is connected to the 'net 24/7
> > via an ADSL connection on a freebsd box which allows the connections
> > through a NATed firewall and redirects to a windows 2000 server with a
> > private IP.
> >
> > It's not really that hard. I'm not sure if you have any sort of
> > linux/bsd'ish type systems in place, but seeing what I did could well
> > point you in the right direction
> >
> > I use ipf and ipnat.
> >
> > You'll need to redirect tcp/1723 and udp/500 from point of entry to your
> > windows 2000 server and allow allow IP PROTOs 47 (GRE), 50 (ESP), 51 (AH)
> >
> > As long as you've got those rules in place, everything should be ok.
> >
> > What did also as an extra step for of protection (maybe someone can tell
> > me how valid this is) but for DHCP i only allow 2 pc's in a certain range,
> > the IP gets assigned once they have authenticated, but only assigns the IP
> > if the MAC addresses from the NICs match up to the MAC address assigned
> > for that IP.
> >
> >
> >
> > On Tue, 8 Jul 2003, Julias P wrote:
> >
> > >
> > > I would like to setup a VPN connection using Windows 2000 Server, to
> enable
> > > access from the Internet. I have a set of firewalls through which I have
> > > configured port 1723. What security issues do I need to consider and how
> can
> > > I harden the security around MS Windows 2000 VPN setup, can I install a
> > > personal firewall like ZoneAlarm on the VPN PC, Any links to secure VPN
> > > set-up would help.
> > >
> > > Thanks
> > >
> > > Jei,
> > >
> > >
> > >
> > > DISCLAIMER: The information contained in this communication is
> confidential
> > > and may be legally privileged or otherwise protected from disclosure. It
> is
> > > intended solely for the use of the individual or entity to whom it
> > > addressed. if you are not the intended recipient, you are hereby
> notified
> > > that any disclosure, copying, distribution or taking action in reliance
> of
> > > the contents of this information is strictly prohibited and may be
> unlawful.
> > > Commercial Bank of Zimbabwe Limited is neither liable for the complete
> > > transmission of the information contained in this communication, any
> delay
> > > in its receipt or damage that may be suffered by the unintended
> recipient.
> > >
> > >
> > >
> >
> > --------------------------------------------------------------------------
> -
> > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
> analysts!
> > > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> > > while InStat has confirmed Neoteris as the leader in marketshare.
> > >
> > > Find out why, and see how you can get plug-n-play secure remote access
> in
> > > about an hour, with no client, server changes, or ongoing maintenance.
> > >
> > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> >
> > --------------------------------------------------------------------------
> --
> > >
> >
> >
> > --------------------------------------------------------------------------
> -
> > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> > while InStat has confirmed Neoteris as the leader in marketshare.
> >
> > Find out why, and see how you can get plug-n-play secure remote access in
> > about an hour, with no client, server changes, or ongoing maintenance.
> >
> > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> > --------------------------------------------------------------------------
> --
> >
> >
> > Acest mail a fost scanat cu RAV Antivirus.
> >
> >
>
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
