[pptp-server] linux to linux pptp connection

Jerry Vonau jvonau at home.com
Wed Nov 14 18:18:21 CST 2001


Jerry Vonau wrote:
> 
> Do you have to run NAT on this box?
> 
>  eth0 on linux firewall
>           DHCP to laptop
>           NAT to eth1
>          firewall rule: only packets going to pptp box are let thru
>       eth1
> Your only allowing PPTP to pass with this box right?
> I'd just use a different subnet (192.168.2.0?)
> and filtering and straight forwarding (no MASQ or NAT)
> should do the same thing with less headache IMHO.
> 
> Jerry Vonau
> 
> HVR wrote:
> >
> > Jordan Share wrote:
> >
> > > Why not NAT the laptops to multiple addresses?  Thus:
> > > 10.1.1.1 -> 192.168.1.129
> > > 10.1.1.2 -> 192.168.1.130
> > > etc.
> > >
> > >
> > how do you set that up? i always thought that NAT/MASQ will masquerade all
> > packets as if they are coming from one IP address, can you actually NAT to
> > multiple addresses?
> > if yes that might solve my problem with pptp.
> >
> > > Or, just run the PPTP server on the linux box that is directly attached to
> > > the lucent basestation.
> > >
> > >
> > that wont work since we need the firewall linux box to only let packets out to
> > a trusted host inside the LAN (which is where we run pptp). if the firewall
> > does pptp then even laptop which do NOT go tru a tunnel will have their
> > packets forwarded.
> >
> > > Jordan
> > >
> > >      -----Original Message-----
> > >      From: pptp-server-admin at lists.schulte.org
> > >      [mailto:pptp-server-admin at lists.schulte.org] On Behalf Of HVR
> > >      Sent: Wednesday, November 14, 2001 9:34 AM
> > >      To: Jordan Share
> > >      Cc: Jerry Vonau; Tom Eastep; knollst at tronicplanet.de;
> > >      pptp-server at lists.schulte.org
> > >      Subject: Re: [pptp-server] linux to linux pptp connection
> > >
> > >      i think we are on to something, but let me explain my setup:
> > >
> > >      we have several win/2k and win98 laptops, they all have a orinico
> > >      wireless card, via this wireless card they connect to the lucent
> > >      basestation, this lucent basestation is plugged into eth0 of a
> > >      linux box firewall. the linux box does dhcp so all the laptops get
> > >      a 10.1.1.0/24 ip address it then does MASQ/NAT and send each
> > >      packet coming in on eth0, out on eth1 which is connected to our
> > >      LAN.
> > >
> > >      However it will ONLY forward packets going out on eth1 which are
> > >      going to the linux box running pptpd. pptpd box then authenticates
> > >      and assigns ip to the tunnels in the 192.168.1.0/24 range and then
> > >      NAT/MASQ the packets coming from within the tunnel out into the
> > >      LAN. doing this forces all over the air traffic (between laptop
> > >      client and the basestation) to be pptp encrypted (since only
> > >      packets going to the pptp server are forwarded, and these are
> > >      encrypted).
> > >
> > >      now the problem i have is that when multiple laptop clients are
> > >      NATed via the linux box firewall then pptp will only set up one
> > >      tunnel for all of them: quite messy!
> > >
> > >      picture(?):
> > >
> > >      laptop-W2k/w98
> > >      |
> > >      lucent basestation
> > >      |
> > >      eth0 on linux firewall
> > >          DHCP to laptop
> > >          NAT to eth1
> > >         firewall rule: only packets going to pptp box are let thru
> > >      eth1
> > >      | (this is our LAN)
> > >      |
> > >      pptp box
> > >          authenticate
> > >          NAT but only if from a pptp tunnel
> > >      |
> > >      internal LAN
> > >
> > >      With frees/wan i would like to be able to setup IPsec from each
> > >      laptop, NAT them all via the firewall and have the pptp server
> > >      (now just running ipsec) be the receiving side.
> > >
> > >      so i need some fancy setup and i need ipsec support for win/2k and
> > >      win/98
> > >
> > >      Any comments greatly appreciated.
> > >
> > >      Jordan Share wrote:
> > >
> > >     > Ok, yes. If you have a Linux-to-Linux connection, then I think
> > >     > you'd be better off getting IPSec working, and a tunnel set up
> > >     > between your two subnets.
> > >     >
> > >     > Do you have a static IP on both ends?  That is really helpful,
> > >     > but I don't think it's needed (although I can't say for sure,
> > >     > since I do have a static IP on both ends).
> > >     >
> > >     > You have to make sure that the subnets that you are using are
> > >     > distinct.  For example, at work we are using the 10.1.1.0/24
> > >     > subnet, which I have connected to my network at home
> > >     > (192.168.0.0/24).  That way, a route can be set up (FreeS/WAN
> > >     > does this automatically at each end) for the destination subnet,
> > >     > after the IPSec tunnel comes up.
> > >     >
> > >     > You end up with something like this:
> > >     >
> > >     > LAN1 - 10.1.1.0/24
> > >     > |
> > >     > 10.1.1.1 -- eth0 on linuxbox1
> > >     > |
> > >     > linuxbox1
> > >     > |
> > >     > a.b.c.d -- eth1 on linuxbox1
> > >     > |
> > >     > Internet
> > >     > |
> > >     > w.x.y.z -- eth1 on linuxbox2
> > >     > |
> > >     > linuxbox2
> > >     > |
> > >     > 192.168.0.1
> > >     > |
> > >     > LAN2 - 192.168.0.0/24
> > >     >
> > >     > Then machines on my LAN at home send their packets to linuxbox2,
> > >     > which encrypts and tunnels them to linuxbox1, which decrypts and
> > >     > sends them on to the machines on LAN1.
> > >     >
> > >     > This kind of thing is really easy to set up with FreeS/WAN.  If
> > >     > you need to do windows browsing and whatnot, then you'd need to
> > >     > fool around with a WINS server for your network neighborhood to
> > >     > connect properly (Samba is working fine for us in this respect,
> > >     > although you probably are already using a WINS server if you
> > >     > have a windows domain).
> > >     >
> > >     > Jordan
> > >     >
> > >     > ----Original Message-----
> > >     > From: pptp-server-admin at lists.schulte.org [
> > >     > mailto:pptp-server-admin at lists.schulte.org ] On Behalf Of HVR
> > >     > Sent: Tuesday, November 13, 2001 11:55 AM
> > >     > To: Jordan Share
> > >     > Cc: Jerry Vonau; Tom Eastep; knollst at tronicplanet.de ;
> > >     > pptp-server at lists.schulte.org
> > >     > Subject: Re: [pptp-server] linux to linux pptp connection
> > >     >
> > >     >
> > >     >
> > >     >      Jordan Share wrote:
> > >     >
> > >     >      > For remote access, it's probably easier to get PPTP
> > >     >      > "dialin" working.  Freeswan does not support "remote"
> > >     >      > IPs in the same way.  You do not lease an IP address
> > >     >      > on the local network, you just encrypt the traffic to
> > >     >      > and from a given IP/Netmask.  This makes
> > >     >      > "roadwarrior" dialins a bit tricky.  If you have a
> > >     >      > static IP on the Win2k box, then it's very easy to
> > >     >      > set up the IPSec tunneling.  (Well, not easy,
> > >     >      > perhaps, but doable).  If you want to connect roaming
> > >     >      > dialin users, then you need to jump through some
> > >     >      > hoops, or just use PGPNet, or some other IPSec client
> > >     >      > software to manage things.
> > >     >      > The original post I was replying to was talking about
> > >     >      > using PPTP to connect two LANs together.  Which is
> > >     >      > something that I think is much better done with
> > >     >      > IPSec.
> > >     >      > Jordan
> > >     >      >
> > >     >
> > >     >      By problem is currently that i have multiple clients
> > >     >      behind a linux box doing NAT/masquerading. so when the
> > >     >      clients get to the pptp server they all seem to have
> > >     >      the same ip address and hence pptp will only create
> > >     >      one tunnel per ip and  ALL clients will go thru this,
> > >     >      which creates a big mess! i was hoping that we can
> > >     >      either change pptp to allow mutliple tunnels per
> > >     >      ip-pair or that i can use FreeS/wan somehow.
> > >     >
> > >     >      The clients are a mix of win/2k/98 they connect to the
> > >     >      linux box which will serve them an ip address via
> > >     >      dhcp, and then the box will NAT all their packets
> > >     >      which are then forwarded to the pptp server. and that
> > >     >      is where i get into problems...
> > >     >
> > >     >      i can explain why i am doing all this in case you are
> > >     >      interested.
> > >     >
> > >     >      > -----Original Message-----
> > >     >      > From: pptp-server-admin at lists.schulte.org
> > >     >      > [mailto:pptp-server-admin at lists.schulte.org]On Behalf
> > >     >      > Of
> > >     >      > hvrietsc at yahoo.com
> > >     >      > Sent: Monday, November 12, 2001 8:30 PM
> > >     >      > To: Jordan Share
> > >     >      > Cc: Jerry Vonau; Tom Eastep; knollst at tronicplanet.de;
> > >     >      > pptp-server at lists.schulte.org
> > >     >      > Subject: Re: [pptp-server] linux to linux pptp
> > >     >      > connection
> > >     >      > ok you got me curious, can i do the following with
> > >     >      > frees/wan:
> > >     >      > one secure box running frees/wan with one eth to the
> > >     >      > outside and one eth
> > >     >      > to the inside.
> > >     >      > then ca
> > >     >      > n i
> > >     >      > use win-2k and win 98 to connect to freesw/wan? if so
> > >     >      > what
> > >     >      > do they use for making the tunnels. for pptp
> > >     >      > connections i just have them use the build
> > >     >      > in vpn connector or whatever M$ calls this. so what
> > >     >      > about ipsec? is this supported
> > >     >      > by win/2k and win98?
> > >     >      > On Mon, Nov 12, 2001 at 10:42:35AM -0800, Jordan
> > >     >      > Share wrote:
> > >     >      >
> > >     >      >>  I'd have to agree that FreeS/WAN is probably what
> > >     >      >>  you want to go with.  I've not had a tunnel go down
> > >     >      >>  yet.  (Well, as long as our DSL stays up.)  Also,
> > >     >      >>  you have the bonus that it interoperates with other
> > >     >      >>  IPSec implementations (an advantage you don't have
> > >     >      >>  with vtund).  I set up FreeS/WAN for connectivity
> > >     >      >>  to our backside LAN at the colo center (connecting
> > >     >      >>  to a Netscreen100 firewall), and since then have
> > >     >      >>  been easily able to add in tunnels for my network
> > >     >      >>  at home (FreeS/WAN) and to a coworker's Win2k box.
> > >     >      >>  Plus, I really feel that the experience you gain in
> > >     >      >>  setting up a FreeS/WAN tunnel is far more broadly
> > >     >      >>  applicable to other IPSec installations than
> > >     >      >>  setting up some proprietary tunneling product (such
> > >     >      >>  as vtund).
> > >     >      >>  There's no way I'd ever use PPTP to tunnel two LANs
> > >     >      >>  together, if I had a choice.  PPTP is for remote
> > >     >      >>  access, IMHO.
> > >     >      >>  Jordan
> > >     >      >>  -----Original Message-----
> > >     >      >>  From: pptp-server-admin at lists.schulte.org
> > >     >      >>  [mailto:pptp-server-admin at lists.schulte.org]On
> > >     >      >>  Behalf Of Jerry Vonau
> > >     >      >>  Sent: Saturday, November 10, 2001 9:50 AM
> > >     >      >>  To: Tom Eastep
> > >     >      >>  Cc: knollst at tronicplanet.de;
> > >     >      >>  pptp-server at lists.schulte.org
> > >     >      >>  Subject: Re: [pptp-server] linux to linux pptp
> > >     >      >>  connection
> > >     >      >>  Tom:
> > >     >      >>  Just figured out vtund, I'm testing it now.
> > >     >      >>  Have you played with it? Seems stable.
> > >     >      >>  Jerry Vonau
> > >     >      >>  Tom Eastep wrote:
> > >     >      >>
> > >     >      >> > On Saturday 10 November 2001 08:28 am, Jerry
> > >     >      >> > Vonau wrote:
> > >     >      >> >
> > >     >      >> >>  The fix is to have a reliable isp and hope their
> > >     >      >> >>  upstream is reliable.
> > >     >      >> >>
> > >     >      >> > Or switch to an IPSEC tunnel -- For Linux<->Linux
> > >     >      >> > tunneling, I've found
> > >     >      >> > FreeS/Wan to be more reliable than PPTP.
> > >     >      >> > -Tom
> > >     >      >> > --
> > >     >      >> > Tom Eastep    \  teastep at shorewall.net
> > >     >      >> > AIM: tmeastep  \  http://www.shorewall.net
> > >     >      >> > ICQ: #60745924  \_________________________
> > >     >      >> >
> > >     >      >>  _______________________________________________
> > >     >      >>  pptp-server maillist  -
> > >     >      >>  pptp-server at lists.schulte.org
> > >     >      >>  http://lists.schulte.org/mailman/listinfo/pptp-server
> > >     >      >>  --- To unsubscribe, go to the url just above this
> > >     >      >>  line. --
> > >     >      >>  _______________________________________________
> > >     >      >>  pptp-server maillist  -
> > >     >      >>  pptp-server at lists.schulte.org
> > >     >      >>  http://lists.schulte.org/mailman/listinfo/pptp-server
> > >     >      >>  --- To unsubscribe, go to the url just above this
> > >     >      >>  line. --
> > >     >      >>
> > >     >      > _______________________________________________
> > >     >      > pptp-server maillist  -
> > >     >      > pptp-server at lists.schulte.org
> > >     >      > http://lists.schulte.org/mailman/listinfo/pptp-server
> > >     >      > --- To unsubscribe, go to the url just above this
> > >     >      > line. --
> > >     >      >
> > >     >
> > >



More information about the pptp-server mailing list