[pptp-server] linux to linux pptp connection
HVR
hvrietsc at yahoo.com
Wed Nov 14 14:12:01 CST 2001
Jordan Share wrote:
> Why not NAT the laptops to multiple addresses? Thus:
>
> 10.1.1.1 -> 192.168.1.129
>
> 10.1.1.2 -> 192.168.1.130
>
> etc.
>
>
>
how do you set that up? i always thought that NAT/MASQ will masquerade
all packets as if they are coming from one IP address, can you actually
NAT to multiple addresses?
if yes that might solve my problem with pptp.
> Or, just run the PPTP server on the linux box that is directly
> attached to the lucent basestation.
>
>
>
that wont work since we need the firewall linux box to only let packets
out to a trusted host inside the LAN (which is where we run pptp). if
the firewall does pptp then even laptop which do NOT go tru a tunnel
will have their packets forwarded.
> Jordan
>
> -----Original Message-----
> *From:* pptp-server-admin at lists.schulte.org
> [mailto:pptp-server-admin at lists.schulte.org]* On Behalf Of *HVR
> *Sent:* Wednesday, November 14, 2001 9:34 AM
> *To:* Jordan Share
> *Cc:* Jerry Vonau; Tom Eastep; knollst at tronicplanet.de;
> pptp-server at lists.schulte.org
> *Subject:* Re: [pptp-server] linux to linux pptp connection
>
> i think we are on to something, but let me explain my setup:
>
> we have several win/2k and win98 laptops, they all have a orinico
> wireless card, via this wireless card they connect to the lucent
> basestation, this lucent basestation is plugged into eth0 of a
> linux box firewall. the linux box does dhcp so all the laptops get
> a 10.1.1.0/24 ip address it then does MASQ/NAT and send each
> packet coming in on eth0, out on eth1 which is connected to our LAN.
>
> However it will ONLY forward packets going out on eth1 which are
> going to the linux box running pptpd. pptpd box then authenticates
> and assigns ip to the tunnels in the 192.168.1.0/24 range and then
> NAT/MASQ the packets coming from within the tunnel out into the
> LAN. doing this forces all over the air traffic (between laptop
> client and the basestation) to be pptp encrypted (since only
> packets going to the pptp server are forwarded, and these are
> encrypted).
>
> now the problem i have is that when multiple laptop clients are
> NATed via the linux box firewall then pptp will only set up one
> tunnel for all of them: quite messy!
>
> picture(?):
>
> laptop-W2k/w98
> |
> lucent basestation
> |
> eth0 on linux firewall
> DHCP to laptop
> NAT to eth1
> firewall rule: only packets going to pptp box are let thru
> eth1
> | (this is our LAN)
> |
> pptp box
> authenticate
> NAT but only if from a pptp tunnel
> |
> internal LAN
>
> With frees/wan i would like to be able to setup IPsec from each
> laptop, NAT them all via the firewall and have the pptp server
> (now just running ipsec) be the receiving side.
>
> so i need some fancy setup and i need ipsec support for win/2k and
> win/98
>
> Any comments greatly appreciated.
>
> Jordan Share wrote:
>
>> Ok, yes. If you have a Linux-to-Linux connection, then I think
>> you'd be better off getting IPSec working, and a tunnel set up
>> between your two subnets.
>>
>>
>> Do you have a static IP on both ends? That is really helpful,
>> but I don't think it's needed (although I can't say for sure,
>> since I do have a static IP on both ends).
>>
>>
>>
>> You have to make sure that the subnets that you are using are
>> distinct. For example, at work we are using the 10.1.1.0/24
>> subnet, which I have connected to my network at home
>> (192.168.0.0/24). That way, a route can be set up (FreeS/WAN
>> does this automatically at each end) for the destination subnet,
>> after the IPSec tunnel comes up.
>>
>>
>>
>> You end up with something like this:
>>
>>
>>
>> LAN1 - 10.1.1.0/24
>>
>> |
>>
>> 10.1.1.1 -- eth0 on linuxbox1
>>
>> |
>>
>> linuxbox1
>>
>> |
>>
>> a.b.c.d -- eth1 on linuxbox1
>>
>> |
>>
>> Internet
>>
>> |
>>
>> w.x.y.z -- eth1 on linuxbox2
>>
>> |
>>
>> linuxbox2
>>
>> |
>>
>> 192.168.0.1
>>
>> |
>>
>> LAN2 - 192.168.0.0/24
>>
>>
>>
>> Then machines on my LAN at home send their packets to linuxbox2,
>> which encrypts and tunnels them to linuxbox1, which decrypts and
>> sends them on to the machines on LAN1.
>>
>>
>>
>> This kind of thing is really easy to set up with FreeS/WAN. If
>> you need to do windows browsing and whatnot, then you'd need to
>> fool around with a WINS server for your network neighborhood to
>> connect properly (Samba is working fine for us in this respect,
>> although you probably are already using a WINS server if you have
>> a windows domain).
>>
>>
>>
>> Jordan
>>
>>
>>
>> ----Original Message-----
>> *From:* pptp-server-admin at lists.schulte.org
>> <mailto:pptp-server-admin at lists.schulte.org> [
>> mailto:pptp-server-admin at lists.schulte.org ]* On Behalf Of *HVR
>> *Sent:* Tuesday, November 13, 2001 11:55 AM
>> *To:* Jordan Share
>> *Cc:* Jerry Vonau; Tom Eastep; knollst at tronicplanet.de
>> <mailto:knollst at tronicplanet.de> ; pptp-server at lists.schulte.org
>> <mailto:pptp-server at lists.schulte.org>
>> *Subject:* Re: [pptp-server] linux to linux pptp connection
>>
>>
>>
>> Jordan Share wrote:
>>
>>>For remote access, it's probably easier to get PPTP "dialin" working. Freeswan does not support "remote" IPs in the same way. You do not lease an IP address on the local network, you just encrypt the traffic to and from a given IP/Netmask. This makes "roadwarrior" dialins a bit tricky. If you have a static IP on the Win2k box, then it's very easy to set up the IPSec tunneling. (Well, not easy, perhaps, but doable). If you want to connect roaming dialin users, then you need to jump through some hoops, or just use PGPNet, or some other IPSec client software to manage things.
>>>
>>>The original post I was replying to was talking about using PPTP to connect two LANs together. Which is something that I think is much better done with IPSec.
>>>
>>>Jordan
>>>
>>
>> By problem is currently that i have multiple clients behind a
>> linux box doing NAT/masquerading. so when the clients get to
>> the pptp server they all seem to have the same ip address and
>> hence pptp will only create one tunnel per ip and ALL
>> clients will go thru this, which creates a big mess! i was
>> hoping that we can either change pptp to allow mutliple
>> tunnels per ip-pair or that i can use FreeS/wan somehow.
>>
>> The clients are a mix of win/2k/98 they connect to the linux
>> box which will serve them an ip address via dhcp, and then
>> the box will NAT all their packets which are then forwarded
>> to the pptp server. and that is where i get into problems...
>>
>> i can explain why i am doing all this in case you are interested.
>>
>>>
>>>-----Original Message-----
>>>From: pptp-server-admin at lists.schulte.org <mailto:pptp-server-admin at lists.schulte.org>
>>>[mailto:pptp-server-admin at lists.schulte.org]On Behalf Of
>>>hvrietsc at yahoo.com <mailto:hvrietsc at yahoo.com>
>>>Sent: Monday, November 12, 2001 8:30 PM
>>>To: Jordan Share
>>>Cc: Jerry Vonau; Tom Eastep; knollst at tronicplanet.de <mailto:knollst at tronicplanet.de>;
>>>pptp-server at lists.schulte.org <mailto:pptp-server at lists.schulte.org>
>>>Subject: Re: [pptp-server] linux to linux pptp connection
>>>
>>>
>>>ok you got me curious, can i do the following with frees/wan:
>>>
>>>one secure box running frees/wan with one eth to the outside and one eth
>>>to the inside.
>>>
>>>then ca
>>>n i
>>>use win-2k and win 98 to connect to freesw/wan? if so what
>>>do they use for making the tunnels. for pptp connections i just have them use the build
>>>in vpn connector or whatever M$ calls this. so what about ipsec? is this supported
>>>by win/2k and win98?
>>>
>>>On Mon, Nov 12, 2001 at 10:42:35AM -0800, Jordan Share wrote:
>>>
>>>>I'd have to agree that FreeS/WAN is probably what you want to go with. I've not had a tunnel go down yet. (Well, as long as our DSL stays up.) Also, you have the bonus that it interoperates with other IPSec implementations (an advantage you don't have with vtund). I set up FreeS/WAN for connectivity to our backside LAN at the colo center (connecting to a Netscreen100 firewall), and since then have been easily able to add in tunnels for my network at home (FreeS/WAN) and to a coworker's Win2k box.
>>>>
>>>>Plus, I really feel that the experience you gain in setting up a FreeS/WAN tunnel is far more broadly applicable to other IPSec installations than setting up some proprietary tunneling product (such as vtund).
>>>>
>>>>There's no way I'd ever use PPTP to tunnel two LANs together, if I had a choice. PPTP is for remote access, IMHO.
>>>>
>>>>Jordan
>>>>
>>>>-----Original Message-----
>>>>From: pptp-server-admin at lists.schulte.org <mailto:pptp-server-admin at lists.schulte.org>
>>>>[mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jerry Vonau
>>>>Sent: Saturday, November 10, 2001 9:50 AM
>>>>To: Tom Eastep
>>>>Cc: knollst at tronicplanet.de <mailto:knollst at tronicplanet.de>; pptp-server at lists.schulte.org <mailto:pptp-server at lists.schulte.org>
>>>>Subject: Re: [pptp-server] linux to linux pptp connection
>>>>
>>>>
>>>>Tom:
>>>>
>>>>Just figured out vtund, I'm testing it now.
>>>>Have you played with it? Seems stable.
>>>>
>>>>Jerry Vonau
>>>>
>>>>Tom Eastep wrote:
>>>>
>>>>>On Saturday 10 November 2001 08:28 am, Jerry Vonau wrote:
>>>>>
>>>>>>The fix is to have a reliable isp and hope their upstream is reliable.
>>>>>>
>>>>>Or switch to an IPSEC tunnel -- For Linux<->Linux tunneling, I've found
>>>>>FreeS/Wan to be more reliable than PPTP.
>>>>>
>>>>>-Tom
>>>>>--
>>>>>Tom Eastep \ teastep at shorewall.net <mailto:teastep at shorewall.net>
>>>>>AIM: tmeastep \ http://www.shorewall.net
>>>>>ICQ: #60745924 \_________________________
>>>>>
>>>>_______________________________________________
>>>>pptp-server maillist - pptp-server at lists.schulte.org <mailto:pptp-server at lists.schulte.org>
>>>>http://lists.schulte.org/mailman/listinfo/pptp-server
>>>>--- To unsubscribe, go to the url just above this line. --
>>>>
>>>>_______________________________________________
>>>>pptp-server maillist - pptp-server at lists.schulte.org <mailto:pptp-server at lists.schulte.org>
>>>>http://lists.schulte.org/mailman/listinfo/pptp-server
>>>>--- To unsubscribe, go to the url just above this line. --
>>>>
>>>_______________________________________________
>>>pptp-server maillist - pptp-server at lists.schulte.org <mailto:pptp-server at lists.schulte.org>
>>>http://lists.schulte.org/mailman/listinfo/pptp-server
>>>--- To unsubscribe, go to the url just above this line. --
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schulte.org/mailman/private/pptp-server/attachments/20011114/abd9485d/attachment.html>
More information about the pptp-server
mailing list