[pptp-server] masquerading VPN server (NT)
Cowles, Steve
Steve at SteveCowles.com
Thu Mar 22 09:39:00 CST 2001
> -----Original Message-----
> From: Darren Kuik [mailto:littlekuke at hotmail.com]
> Sent: Thursday, March 22, 2001 8:46 AM
> To: pptp-server at lists.schulte.org
> Subject: [pptp-server] masquerading VPN server (NT)
>
>
> Hi list,
>
> I am trying to masquerade an NT server behind my linux
> firewall gateway (RH7 kernel 2.2.17). I have installed
> the vpn masq patch and ipmasadm and ipfwd.
>
> I can masquerade clients going out from my LAN but I can't
> seem to forward inbound connections to my server on the same LAN.
>
> Someone suggested that I needed to install ms-chap and mppe. Is this true?
No! Since you are trying to establish a VPN to a (masq'd) MS based PPTP
server and not a linux based PPTP server, then you do not need to worry
about adding ms-chap/mppe support. Microsoft's PPTP server already supports
mschap/mppe.
> If so it's not in the VPN masquerade HOWTO. So
> does anyone know what additional setup is required to masquerade
> a VPN server other than setting up ipfwd and ipmasqadm and setting
> up the appropriate filters using ipchains?
Sounds like you have taken care of the necessary prerequisites. i.e. vpn
masq patch, ipmasqadm and ipfwd. If you are still not able to establish an
inbound tunnel to your (masq'd) MS PPTP server, then one of the above is not
properly configured.
Since I run a masq'd PPTP server behind my linux firewall, I can only offer
the following examples. For the purpose of this post... My masq'd pptp
servers ip address is 192.168.9.3 and the external ip address of my firewall
is 1.2.3.4
---- ipfwd -----
ipfwd --masq 192.168.9.3 47 &
to verify that ipfwd is running...
# ps auwx | grep ipfwd
root 1788 0.0 0.1 788 40 ? S Mar 7 0:00 ipfwd --masq 192.168.9.3 47
---- ipmasqadm -----
ipmasqadm -a -P tcp -L 1.2.3.4 1723 -R 192.168.9.3 1723
to verify that ipmasqadm is properly configured
# ipmasqadm portfw -ln
prot localaddr rediraddr lport rport pcnt pref
TCP 1.2.3.4 192.168.9.3 1723 1723 10 10
Since I use Seawall ( http://seawall.sourceforge.net ) to setup my ipchain
rules for my firewall, the following rules are relevant for running a masq'd
PPTP server.
# ipchains -L -n | grep gre
ACCEPT gre ------ 0.0.0.0/0 1.2.3.4 n/a
# ipchains -L -n | grep 1723
ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1723
... and the relevant modules
# lsmod
Module Pages Used by
ip_masq_pptp 4032 2
ip_masq_mfw 3040 0 (unused)
ip_masq_portfw 2328 6
Steve Cowles
More information about the pptp-server
mailing list