[pptp-server] VPN Masquerading Woes

Michael Walter walterm at Gliatech.com
Tue Aug 8 10:38:36 CDT 2000 

Thanks for the advice so far, but I am still having a lot of problems with
this.  I have read through the last 6 months of postings on this group as
well as the vpn masq howto and everything I could find through web searches
on the subject and I am still at square 1, just slightly more frustrated.
These are the tools I am using:

kernel-2.2.16-12.i386.rpm from the rawhide section of ftp.redhat.com (This
comes with the vpn masq patch built in)
also tried kernel-2.2.16 from www.kernel.org with
ip_masq_vpn-2.2.15.patch.gz applied succesfully.
ipfwd-1.0.0-1.i386.rpm
ipmasqadm-0.4.2-3.i386.rpm

Here is my test configuration:
=======================	
| Win2000 client      |	
| 192.168.0.10/24     |	
=======================
    |
=======================
| 192.168.0.1/24      |
| Linux Masq/Firewall |
| 192.0.0.200/24      |
=======================
    |
=======================
| 192.0.0.1           |
| Linux VPN           |
| 10.0.0.15           |
=======================

I have the ip_masq_pptp.o module installed on the linux Masq/Firewall box,
do I also need it on the Linux VPN?  This is what my boot script looks like
on the Linux Masq/Firewall:

ipchains -F
ipmasqadm portfw -f
echo 1 > /proc/sys/net/ipv4/ip_forward
insmod ip_masq_pptp
insmod ip_masq_ftp
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward REJECT
ipchains -A forward -s 192.168.0.0/24 -j MASQ
ipmasqadm portfw -a -P tcp -L 192.168.0.1 1723 -R 192.0.0.1 1723
ipmasqadm portfw -a -P udp -L 192.168.0.1 1723 -R 192.0.0.1 1723
ipfwd 192.168.0.10 47 &

I have no problem connecting to the vpn server, but it basically never
manages to authenticate the client.  As a test too, I set all the addresses
involved to non-private addresses, set the default gateway on the Vpn Server
to the linux masq firewall, and enabled port forwarding without any masq-ing
and things worked great.  As soon as I masq the private addresses though,
everything stops working.  Is there some hidden issue involved in the use of
private addresses that I haven't found.  Has anyone gotten a configuration
like this working, am I overlooking something simple?  Do I need to make any
changes on the  VPN Server itself?

Thanks,

Michael J. Walter
mcse mcp+i rhce a+
Network Administrator
Gliatech, Inc.
23420 Commerce Park Rd.
Beachwood, Ohio 44122
Tel: (216) 831-3200
Email: walterm at gliatech.com 



-----Original Message-----
From: Tom Eastep [mailto:teastep at evergo.net]
Sent: Friday, August 04, 2000 1:34 PM
To: Michael Walter
Cc: PPTPD User Group (E-mail)
Subject: Re: [pptp-server] VPN Masquerading Woes


Thus spoke Michael Walter:

> Hello All,
> 
> I am working on a test configuration that I am hoping to roll into
> production soon.  I have a win2000 client connecting through a linux masq
> box to a poptop server.  When I connect, the win2000 client makes it to
the
> Verifying Username and Password stage and eventually gives Error 619: the
> specified port is not connected.  I have tested the same configuration
with
> the client connected directly to the poptop vpn and it work flawlessly.  I
> have also tried this with several different clients against the test and
our
> production poptop vpn's with the same results.  I have the chap-secrets
and
> pap-secrets files set up correctly and they both contain the login I am
> trying to use.  Has anyone had these kind of problems with VPN
masquerading?
> If so, did you find any type of resolution?  Thanks in advance for any
help,
> 

You must:

a) patch your kernel as described at
http://www.wolfenet.com/~jhardin/ip_masq_vpn.html.

b) run ipfwd on the gateway system:

	ipfwd --masq <pptp-server IP addr> 47

c) Port forward port 1723 to the server.

-Tom
-- 
Tom Eastep             \  Eastep's First Principle of Computing:
ICQ #60745924           \  "Any sane computer will tell you how it
teastep at evergo.net       \   works if you ask it the proper questions"
Shoreline, Washington USA \___________________________________________

_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulteconsulting.com!

More information about the pptp-server mailing list