[pptp-server] gre tunnels across a linux router
Shane Boulter
sboulter at ariasolutions.com
Fri Jul 14 12:55:39 CDT 2000
My mistake I forgot my ip configs.
the poptop server is 192.168.1.9
eth1 on the firewall is 192.168.1.254
eth0 on the firewall has a real ip $externalip
The external clients ip's are going to vary since most people in the company
have laptops that they travel from site to site with.
Another firewall rule denys packets that have private ip's (192.168.x.y) on
eth0 so I thought that it wouldn't matter too much to have that rule
implemented.
Shane
-----Original Message-----
From: pptp-server-admin at lists.schulte.org
[mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Eric H
Sent: Friday, July 14, 2000 11:32 AM
To: PPTP mailinglist
Subject: Re: [pptp-server] gre tunnels across a linux router
What IP's are you using for your vpn server, firewall, and external
clients? (Both their real Internet IPs and the ones you're trying to
assign through poptop)... Also,
#=- ipchains -A forward -j MASQ -p 47 -s 192.168.1.0/24 -d 0/0
this rule might be a security loophole, since it looks like you might be
masq'ing your poptop connections, and possibly someone external to your
firewall could masq themselves if they broadcast using 192.168.1.x
(It's usually a good idea to use the '-i' flag to ensure you're masq'ing
only packets coming in from a certain interface, such as the one local to
your network)
On Fri, 14 Jul 2000, Shane Boulter wrote:
#=- Hello all
#=-
#=- I have a poptop vpn server running internall at our office. If you are
#=- connected to the internal network you can establish a vpn connection to
the
#=- server without any problems. However our internal office ip's are all in
#=- the private ip range and there is a linux firewall as our gateway. I
have
#=- forwarded ip port 1723 to the poptop box and i can see that in the logs
it
#=- is trying to establish a connection. However it is failing when trying
to
#=- establish a gre tunnel. I have changed my firewall to be wide open and
got
#=- it to work from outside the office. Now what I would like to do is just
#=- open up enough on the firewall to allow gre tunnels to be established.
The
#=- commands i have run are
#=-
#=- ipchains -A forward -j ACCEPT -p 47 -s 192.168.1.0/24 -d 192.168.1.0/24
#=- ipchains -A forward -j ACCEPT -p 47 -s $externalnet -d 0/0
#=- ipchains -A input -j ACCEPT -p 47 -s 192.168.1.0/24 -d 0/0
#=- ipchains -A output -j ACCEPT -p 47 -s 192.168.1.0/24 -d 0/0
#=-
#=- Unfortunately it still doesn't work. Anyone have any idea's on what else
I
#=- need to do to get this to work?
#=-
#=- Thank you
#=- Shane
#=-
#=- _______________________________________________
#=- pptp-server maillist - pptp-server at lists.schulte.org
#=- http://lists.schulte.org/mailman/listinfo/pptp-server
#=- List services provided by www.schulteconsulting.com!
#=-
#=-
Eric Harashevsky (eharashe at mediaone.net)
----------------------------------------------------------------
I've got a mind like a.. a.. what's that thing called?
_______________________________________________
pptp-server maillist - pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulteconsulting.com!
More information about the pptp-server
mailing list