[pptp-server] masquerading VPN server (NT)

Cowles, Steve Steve at SteveCowles.com
Thu Mar 22 09:39:00 CST 2001 

> -----Original Message-----
> From: Darren Kuik [mailto:littlekuke at hotmail.com]
> Sent: Thursday, March 22, 2001 8:46 AM
> To: pptp-server at lists.schulte.org
> Subject: [pptp-server] masquerading VPN server (NT)
> 
> 
> Hi list,
> 
> I am trying to masquerade an NT server behind my linux 
> firewall gateway (RH7 kernel 2.2.17).  I have installed
> the vpn masq patch and ipmasadm and ipfwd. 
>
> I can masquerade clients going out from my LAN but I can't 
> seem to forward inbound connections to my server on the same LAN.
> 
> Someone suggested that I needed to install ms-chap and mppe. Is this true?


No! Since you are trying to establish a VPN to a (masq'd) MS based PPTP
server and not a linux based PPTP server, then you do not need to worry
about adding ms-chap/mppe support. Microsoft's PPTP server already supports
mschap/mppe.
  
> If so it's not in the VPN masquerade HOWTO.  So
> does anyone know what additional setup is required to masquerade
> a VPN server other than setting up ipfwd and ipmasqadm and setting
> up the appropriate filters using ipchains?

Sounds like you have taken care of the necessary prerequisites. i.e. vpn
masq patch, ipmasqadm and ipfwd. If you are still not able to establish an
inbound tunnel to your (masq'd) MS PPTP server, then one of the above is not
properly configured.

Since I run a masq'd PPTP server behind my linux firewall, I can only offer
the following examples. For the purpose of this post... My masq'd pptp
servers ip address is 192.168.9.3 and the external ip address of my firewall
is 1.2.3.4

---- ipfwd -----
ipfwd --masq 192.168.9.3 47 &
   to verify that ipfwd is running...
# ps auwx | grep ipfwd
root 1788  0.0  0.1 788 40  ?  S  Mar  7 0:00 ipfwd --masq 192.168.9.3 47 

---- ipmasqadm -----
ipmasqadm -a -P tcp -L 1.2.3.4 1723 -R 192.168.9.3 1723
   to verify that ipmasqadm is properly configured
# ipmasqadm portfw -ln
prot localaddr            rediraddr               lport    rport  pcnt  pref
TCP  1.2.3.4              192.168.9.3              1723     1723    10    10

Since I use Seawall ( http://seawall.sourceforge.net ) to setup my ipchain
rules for my firewall, the following rules are relevant for running a masq'd
PPTP server.

# ipchains -L -n | grep gre
ACCEPT   gre  ------  0.0.0.0/0    1.2.3.4     n/a

# ipchains -L -n | grep 1723
ACCEPT     tcp  ------  0.0.0.0/0    0.0.0.0/0   * ->   1723

... and the relevant modules
# lsmod
Module         Pages    Used by
ip_masq_pptp            4032   2
ip_masq_mfw             3040   0 (unused)
ip_masq_portfw          2328   6

Steve Cowles

More information about the pptp-server mailing list