[pptp-server] VPN Masquerading Woes

Tom Eastep teastep at evergo.net
Tue Aug 8 21:27:32 CDT 2000 

Thus spoke Michael Walter:

> Thanks for the advice so far, but I am still having a lot of problems with
> this.  I have read through the last 6 months of postings on this group as
> well as the vpn masq howto and everything I could find through web searches
> on the subject and I am still at square 1, just slightly more frustrated.
> These are the tools I am using:
> 
> kernel-2.2.16-12.i386.rpm from the rawhide section of ftp.redhat.com (This
> comes with the vpn masq patch built in)
> also tried kernel-2.2.16 from www.kernel.org with
> ip_masq_vpn-2.2.15.patch.gz applied succesfully.
> ipfwd-1.0.0-1.i386.rpm
> ipmasqadm-0.4.2-3.i386.rpm
> 
> Here is my test configuration:
> =======================	
> | Win2000 client      |	
> | 192.168.0.10/24     |	
> =======================
>     |
> =======================
> | 192.168.0.1/24      |
> | Linux Masq/Firewall |
> | 192.0.0.200/24      |
> =======================
>     |
> =======================
> | 192.0.0.1           |
> | Linux VPN           |
> | 10.0.0.15           |
> =======================
> 
> I have the ip_masq_pptp.o module installed on the linux Masq/Firewall box,
> do I also need it on the Linux VPN?  This is what my boot script looks like
> on the Linux Masq/Firewall:
> 
> ipchains -F
> ipmasqadm portfw -f
> echo 1 > /proc/sys/net/ipv4/ip_forward
> insmod ip_masq_pptp
> insmod ip_masq_ftp
> ipchains -P input ACCEPT
> ipchains -P output ACCEPT
> ipchains -P forward REJECT
> ipchains -A forward -s 192.168.0.0/24 -j MASQ

If you are masquerading the server, the above rule is ass-backwards. It
should be:

ipchains -A forward -S 192.0.0.0/24 -j MASQ

> ipmasqadm portfw -a -P tcp -L 192.168.0.1 1723 -R 192.0.0.1 1723
> ipmasqadm portfw -a -P udp -L 192.168.0.1 1723 -R 192.0.0.1 1723

The second rule above is harmless but unnecessary.

> ipfwd 192.168.0.10 47 &

Again, your have everything backward -- the address passed to ipfwd should
be that of the server.

> 
> I have no problem connecting to the vpn server, but it basically never
> manages to authenticate the client.  As a test too, I set all the addresses
> involved to non-private addresses, set the default gateway on the Vpn Server
> to the linux masq firewall, and enabled port forwarding without any masq-ing
> and things worked great.  As soon as I masq the private addresses though,
> everything stops working.  Is there some hidden issue involved in the use of
> private addresses that I haven't found.  Has anyone gotten a configuration
> like this working, 

Yes...

am I overlooking something simple?  Do I need to make any
> changes on the  VPN Server itself?
> 

Make the changes that I suggested above -- they should make a world of
difference...

-Tom
-- 
Tom Eastep             \  Eastep's First Principle of Computing:
ICQ #60745924           \  "Any sane computer will tell you how it
teastep at evergo.net       \   works if you ask it the proper questions"
Shoreline, Washington USA \___________________________________________

More information about the pptp-server mailing list