[pptp-server] LAN to LAN pptp connection (ipchains involved)

Gord Belsey gord at amador.ca
Tue Aug 8 10:38:19 CDT 2000


Jefferey:

Good point....after re-reading your original post, if I've got it right, you
want to eliminate the windows PPTP clients, and just access the remote LAN
via the linux PPTP to server pipe. Assuming I understand correctly, this is
how I'm using PPTP.  Here's some things I came across:

To get the linux client working through ipchains, I opened up access for the
PPTP server completely on the input chain (you can be more selective):

ipchains -A input -s <server-ip-addr/mask> -d 0.0.0.0/0.0.0.0 -j ACCEPT
ipchains -A input -s <serverside-LAN-addr-range/mask> -d 0.0.0.0/0.0.0.0 -j
ACCEPT

On the client side, I use MASQuerade to let the windows PCs surf/email on
the Internet.  So, I have two entries, one to allow traffic from the client
LAN to the server LAN unmasqed, and the rest masqd:

ipchains -A forward-s <client-LAN-addr-range/mask> -d
<serverside-LAN-addr-range/mask> -j ACCEPT
ipchains -A forward-s <client-LAN-addr-range/mask> -d 0.0.0.0/0.0.0.0 -j
MASQ

On a side note, you've probably already got this covered, but I also needed
route statements on both the client and server.  Becuase the client goes up
and down, I do this in /etc/ppp/ip-up.local.  I use the $1 through $5
variables provided by PPP to build the route statement.  On the server side,
I do something similar, but I have the remote LAN addressing info in a file,
and grep it out.

I hope this is (more) helpful.

Gord Belsey
----- Original Message -----
From: Jeffrey Hummel <jhummel at fulltilt.com>
To: <gord at amador.ca>; <pptp-server at lists.schulte.org>
Sent: Tuesday, August 08, 2000 9:01 AM
Subject: RE: [pptp-server] LAN to LAN pptp connection (ipchains involved)


> Thanks for that, but thats not the problem, otherwise I wouldn't be able
to
> access the PPTP server inside the Cisco FW.  That works fine - I currently
> have over 100 PPTP windoze and Linux clients running without a hitch.
Cisco
> firewall I know, its Ipchains that gets confusing to me.
>
> -J
>
> -----Original Message-----
> From: gord at amador.ca [mailto:gord at amador.ca]
> Sent: Tuesday, August 08, 2000 10:56 AM
> To: Jeffrey Hummel; pptp-server at lists.schulte.org
> Subject: Re: [pptp-server] LAN to LAN pptp connection (ipchains
> involved)
>
>
> Hi Jeffery:
>
> One thing to watch for is the Cicso firewall....it has to allow both TCP
> port 1723 and protocol 47 (gre) through.  The gre is a separate access
> list....I don't have it handy, but if you have CCO access Cisco TAC will
set
> you up.
>
> Hope this is helpful
>
> Gord Belsey
> ----- Original Message -----
> From: Jeffrey Hummel <jhummel at fulltilt.com>
> To: <pptp-server at lists.schulte.org>
> Sent: Monday, August 07, 2000 1:59 PM
> Subject: [pptp-server] LAN to LAN pptp connection (ipchains involved)
>
>
> > Hello All,
> >
> > I have been running Poptop and WinNT PPTP and a linux pptp client rather
> > flawlessly several ways.  My next solution is a PPTP LAN to LAN
> connection.
> > I have tried several ways to configure PPTP and ipchains but I believe
it
> is
> > an ipchains problem where I get stupid.  Here is my scenario:
> >
> > Windoze LAN --> Linux IPCHAINS FW / PPTP client --> Internet --> Cisco
> rules
> > based FW --> PPTP Server (WinNT)
> >
> > If I don't have any ipchains rules running, the Linux pptp client works
> > great and from that box I can see the entire PPTP server LAN.  What I
want
> > to do is route all of the traffic from my Windoze LAN thru the PPTP
server
> > LAN.  I have said to accept the PPTP client and server ip range and also
> the
> > PPTP serve ip lan range.  No good.  I think I am missing something w/
> PPTP.
> > I can give you my ipchains script if you want.
> >
> > Anyone interested in tackling this one with me?  I would appreciate any
> and
> > all help as usual.
> >
> > -Jeff
> >
> >
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
> >




More information about the pptp-server mailing list