[pptp-server] linux to linux pptp connection
Jerry Vonau
jvonau at home.com
Wed Nov 14 18:18:21 CST 2001
Jerry Vonau wrote:
>
> Do you have to run NAT on this box?
>
> eth0 on linux firewall
> DHCP to laptop
> NAT to eth1
> firewall rule: only packets going to pptp box are let thru
> eth1
> Your only allowing PPTP to pass with this box right?
> I'd just use a different subnet (192.168.2.0?)
> and filtering and straight forwarding (no MASQ or NAT)
> should do the same thing with less headache IMHO.
>
> Jerry Vonau
>
> HVR wrote:
> >
> > Jordan Share wrote:
> >
> > > Why not NAT the laptops to multiple addresses? Thus:
> > > 10.1.1.1 -> 192.168.1.129
> > > 10.1.1.2 -> 192.168.1.130
> > > etc.
> > >
> > >
> > how do you set that up? i always thought that NAT/MASQ will masquerade all
> > packets as if they are coming from one IP address, can you actually NAT to
> > multiple addresses?
> > if yes that might solve my problem with pptp.
> >
> > > Or, just run the PPTP server on the linux box that is directly attached to
> > > the lucent basestation.
> > >
> > >
> > that wont work since we need the firewall linux box to only let packets out to
> > a trusted host inside the LAN (which is where we run pptp). if the firewall
> > does pptp then even laptop which do NOT go tru a tunnel will have their
> > packets forwarded.
> >
> > > Jordan
> > >
> > > -----Original Message-----
> > > From: pptp-server-admin at lists.schulte.org
> > > [mailto:pptp-server-admin at lists.schulte.org] On Behalf Of HVR
> > > Sent: Wednesday, November 14, 2001 9:34 AM
> > > To: Jordan Share
> > > Cc: Jerry Vonau; Tom Eastep; knollst at tronicplanet.de;
> > > pptp-server at lists.schulte.org
> > > Subject: Re: [pptp-server] linux to linux pptp connection
> > >
> > > i think we are on to something, but let me explain my setup:
> > >
> > > we have several win/2k and win98 laptops, they all have a orinico
> > > wireless card, via this wireless card they connect to the lucent
> > > basestation, this lucent basestation is plugged into eth0 of a
> > > linux box firewall. the linux box does dhcp so all the laptops get
> > > a 10.1.1.0/24 ip address it then does MASQ/NAT and send each
> > > packet coming in on eth0, out on eth1 which is connected to our
> > > LAN.
> > >
> > > However it will ONLY forward packets going out on eth1 which are
> > > going to the linux box running pptpd. pptpd box then authenticates
> > > and assigns ip to the tunnels in the 192.168.1.0/24 range and then
> > > NAT/MASQ the packets coming from within the tunnel out into the
> > > LAN. doing this forces all over the air traffic (between laptop
> > > client and the basestation) to be pptp encrypted (since only
> > > packets going to the pptp server are forwarded, and these are
> > > encrypted).
> > >
> > > now the problem i have is that when multiple laptop clients are
> > > NATed via the linux box firewall then pptp will only set up one
> > > tunnel for all of them: quite messy!
> > >
> > > picture(?):
> > >
> > > laptop-W2k/w98
> > > |
> > > lucent basestation
> > > |
> > > eth0 on linux firewall
> > > DHCP to laptop
> > > NAT to eth1
> > > firewall rule: only packets going to pptp box are let thru
> > > eth1
> > > | (this is our LAN)
> > > |
> > > pptp box
> > > authenticate
> > > NAT but only if from a pptp tunnel
> > > |
> > > internal LAN
> > >
> > > With frees/wan i would like to be able to setup IPsec from each
> > > laptop, NAT them all via the firewall and have the pptp server
> > > (now just running ipsec) be the receiving side.
> > >
> > > so i need some fancy setup and i need ipsec support for win/2k and
> > > win/98
> > >
> > > Any comments greatly appreciated.
> > >
> > > Jordan Share wrote:
> > >
> > > > Ok, yes. If you have a Linux-to-Linux connection, then I think
> > > > you'd be better off getting IPSec working, and a tunnel set up
> > > > between your two subnets.
> > > >
> > > > Do you have a static IP on both ends? That is really helpful,
> > > > but I don't think it's needed (although I can't say for sure,
> > > > since I do have a static IP on both ends).
> > > >
> > > > You have to make sure that the subnets that you are using are
> > > > distinct. For example, at work we are using the 10.1.1.0/24
> > > > subnet, which I have connected to my network at home
> > > > (192.168.0.0/24). That way, a route can be set up (FreeS/WAN
> > > > does this automatically at each end) for the destination subnet,
> > > > after the IPSec tunnel comes up.
> > > >
> > > > You end up with something like this:
> > > >
> > > > LAN1 - 10.1.1.0/24
> > > > |
> > > > 10.1.1.1 -- eth0 on linuxbox1
> > > > |
> > > > linuxbox1
> > > > |
> > > > a.b.c.d -- eth1 on linuxbox1
> > > > |
> > > > Internet
> > > > |
> > > > w.x.y.z -- eth1 on linuxbox2
> > > > |
> > > > linuxbox2
> > > > |
> > > > 192.168.0.1
> > > > |
> > > > LAN2 - 192.168.0.0/24
> > > >
> > > > Then machines on my LAN at home send their packets to linuxbox2,
> > > > which encrypts and tunnels them to linuxbox1, which decrypts and
> > > > sends them on to the machines on LAN1.
> > > >
> > > > This kind of thing is really easy to set up with FreeS/WAN. If
> > > > you need to do windows browsing and whatnot, then you'd need to
> > > > fool around with a WINS server for your network neighborhood to
> > > > connect properly (Samba is working fine for us in this respect,
> > > > although you probably are already using a WINS server if you
> > > > have a windows domain).
> > > >
> > > > Jordan
> > > >
> > > > ----Original Message-----
> > > > From: pptp-server-admin at lists.schulte.org [
> > > > mailto:pptp-server-admin at lists.schulte.org ] On Behalf Of HVR
> > > > Sent: Tuesday, November 13, 2001 11:55 AM
> > > > To: Jordan Share
> > > > Cc: Jerry Vonau; Tom Eastep; knollst at tronicplanet.de ;
> > > > pptp-server at lists.schulte.org
> > > > Subject: Re: [pptp-server] linux to linux pptp connection
> > > >
> > > >
> > > >
> > > > Jordan Share wrote:
> > > >
> > > > > For remote access, it's probably easier to get PPTP
> > > > > "dialin" working. Freeswan does not support "remote"
> > > > > IPs in the same way. You do not lease an IP address
> > > > > on the local network, you just encrypt the traffic to
> > > > > and from a given IP/Netmask. This makes
> > > > > "roadwarrior" dialins a bit tricky. If you have a
> > > > > static IP on the Win2k box, then it's very easy to
> > > > > set up the IPSec tunneling. (Well, not easy,
> > > > > perhaps, but doable). If you want to connect roaming
> > > > > dialin users, then you need to jump through some
> > > > > hoops, or just use PGPNet, or some other IPSec client
> > > > > software to manage things.
> > > > > The original post I was replying to was talking about
> > > > > using PPTP to connect two LANs together. Which is
> > > > > something that I think is much better done with
> > > > > IPSec.
> > > > > Jordan
> > > > >
> > > >
> > > > By problem is currently that i have multiple clients
> > > > behind a linux box doing NAT/masquerading. so when the
> > > > clients get to the pptp server they all seem to have
> > > > the same ip address and hence pptp will only create
> > > > one tunnel per ip and ALL clients will go thru this,
> > > > which creates a big mess! i was hoping that we can
> > > > either change pptp to allow mutliple tunnels per
> > > > ip-pair or that i can use FreeS/wan somehow.
> > > >
> > > > The clients are a mix of win/2k/98 they connect to the
> > > > linux box which will serve them an ip address via
> > > > dhcp, and then the box will NAT all their packets
> > > > which are then forwarded to the pptp server. and that
> > > > is where i get into problems...
> > > >
> > > > i can explain why i am doing all this in case you are
> > > > interested.
> > > >
> > > > > -----Original Message-----
> > > > > From: pptp-server-admin at lists.schulte.org
> > > > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf
> > > > > Of
> > > > > hvrietsc at yahoo.com
> > > > > Sent: Monday, November 12, 2001 8:30 PM
> > > > > To: Jordan Share
> > > > > Cc: Jerry Vonau; Tom Eastep; knollst at tronicplanet.de;
> > > > > pptp-server at lists.schulte.org
> > > > > Subject: Re: [pptp-server] linux to linux pptp
> > > > > connection
> > > > > ok you got me curious, can i do the following with
> > > > > frees/wan:
> > > > > one secure box running frees/wan with one eth to the
> > > > > outside and one eth
> > > > > to the inside.
> > > > > then ca
> > > > > n i
> > > > > use win-2k and win 98 to connect to freesw/wan? if so
> > > > > what
> > > > > do they use for making the tunnels. for pptp
> > > > > connections i just have them use the build
> > > > > in vpn connector or whatever M$ calls this. so what
> > > > > about ipsec? is this supported
> > > > > by win/2k and win98?
> > > > > On Mon, Nov 12, 2001 at 10:42:35AM -0800, Jordan
> > > > > Share wrote:
> > > > >
> > > > >> I'd have to agree that FreeS/WAN is probably what
> > > > >> you want to go with. I've not had a tunnel go down
> > > > >> yet. (Well, as long as our DSL stays up.) Also,
> > > > >> you have the bonus that it interoperates with other
> > > > >> IPSec implementations (an advantage you don't have
> > > > >> with vtund). I set up FreeS/WAN for connectivity
> > > > >> to our backside LAN at the colo center (connecting
> > > > >> to a Netscreen100 firewall), and since then have
> > > > >> been easily able to add in tunnels for my network
> > > > >> at home (FreeS/WAN) and to a coworker's Win2k box.
> > > > >> Plus, I really feel that the experience you gain in
> > > > >> setting up a FreeS/WAN tunnel is far more broadly
> > > > >> applicable to other IPSec installations than
> > > > >> setting up some proprietary tunneling product (such
> > > > >> as vtund).
> > > > >> There's no way I'd ever use PPTP to tunnel two LANs
> > > > >> together, if I had a choice. PPTP is for remote
> > > > >> access, IMHO.
> > > > >> Jordan
> > > > >> -----Original Message-----
> > > > >> From: pptp-server-admin at lists.schulte.org
> > > > >> [mailto:pptp-server-admin at lists.schulte.org]On
> > > > >> Behalf Of Jerry Vonau
> > > > >> Sent: Saturday, November 10, 2001 9:50 AM
> > > > >> To: Tom Eastep
> > > > >> Cc: knollst at tronicplanet.de;
> > > > >> pptp-server at lists.schulte.org
> > > > >> Subject: Re: [pptp-server] linux to linux pptp
> > > > >> connection
> > > > >> Tom:
> > > > >> Just figured out vtund, I'm testing it now.
> > > > >> Have you played with it? Seems stable.
> > > > >> Jerry Vonau
> > > > >> Tom Eastep wrote:
> > > > >>
> > > > >> > On Saturday 10 November 2001 08:28 am, Jerry
> > > > >> > Vonau wrote:
> > > > >> >
> > > > >> >> The fix is to have a reliable isp and hope their
> > > > >> >> upstream is reliable.
> > > > >> >>
> > > > >> > Or switch to an IPSEC tunnel -- For Linux<->Linux
> > > > >> > tunneling, I've found
> > > > >> > FreeS/Wan to be more reliable than PPTP.
> > > > >> > -Tom
> > > > >> > --
> > > > >> > Tom Eastep \ teastep at shorewall.net
> > > > >> > AIM: tmeastep \ http://www.shorewall.net
> > > > >> > ICQ: #60745924 \_________________________
> > > > >> >
> > > > >> _______________________________________________
> > > > >> pptp-server maillist -
> > > > >> pptp-server at lists.schulte.org
> > > > >> http://lists.schulte.org/mailman/listinfo/pptp-server
> > > > >> --- To unsubscribe, go to the url just above this
> > > > >> line. --
> > > > >> _______________________________________________
> > > > >> pptp-server maillist -
> > > > >> pptp-server at lists.schulte.org
> > > > >> http://lists.schulte.org/mailman/listinfo/pptp-server
> > > > >> --- To unsubscribe, go to the url just above this
> > > > >> line. --
> > > > >>
> > > > > _______________________________________________
> > > > > pptp-server maillist -
> > > > > pptp-server at lists.schulte.org
> > > > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > > > --- To unsubscribe, go to the url just above this
> > > > > line. --
> > > > >
> > > >
> > >
More information about the pptp-server
mailing list