[pptp-server] Setting up PoPToP behind masq firewall

Cowles, Steve Steve at SteveCowles.com
Sat Oct 13 13:10:44 CDT 2001 

> -----Original Message-----
> From: John P [mailto:john at pmbbs.demon.co.uk]
> Sent: Saturday, October 13, 2001 12:42 PM
> To: pptp-server at lists.schulte.org
> Subject: Re: [pptp-server] Setting up PoPToP behind masq firewall
> 
> 
> > > I have PoPToP running on a RedHat 7.0 server. The server runs
> > > behind a Linux firewall which masquerades the internal network
> > > out on one IP address. Port 1723 is forwarded to the RedHat
> > > server as is protocol 53.
> 
> > That should be protocol 47 (GRE), not protocol 53
> 
> Duh, typo on my part. It is 47 that is used in ipfwd and allowed in
> ipchains. Sorry!

Based on your other post, it looks like you are using the proper syntax for
ipfwd. But it will not help until the firewall kernel understands how to
masquerade a GRE packet.

FWIW: The new linux kernel series (2.4.x) along with iptables do not require
any patches.

> 
> > Some of the latter Redhat kernels already contained the VPN 
> > MASQ Patches. To verify - see if you have module ip_masq_pptp.o
> 
> No, I don't have it. I thought that anything that could be 
> compiled into the kernel could also be loaded as a module? If so,
> can I get a copy of ip_masq_pptp.o from somewhere and just install
> it? I am a bit reluctant to recompile the kernel, because I haven't
> done it before.

Recompiling a kernel for the first time can be a little scary. I learned by
using an extra PC to test the procedure before trying it on a production
system.
 
As for downloading a pre-compiled module - most kernels are compiled where
the module revision must match that of the kernel revision, or it will not
load. Maybe you'll get lucky and find someone that has the ip_masq_pptp.o
module for your kernel revision.

> 
> > > I'm not quite sure why I need to install that patch though.
> > > Is it so that the RedHat server knows to route the packets
> > > via the masq router?
> 
> > The patch is needed so that the GRE protocol can be 
> > properly masqueraded. i.e. module ip_masq_pptp.o
> 
> OK, but who is doing the masquerading? Does the RedHat PPTP
> server masquerade the protocol, or is it the Linux firewall? 

Using your terms... the firewall.

> That's what I can't work out - why would the RedHat server need
> to do any masquerading at all? (It just communicates with the
> firewall which does all the masq'ing)

Its the firewall that has to deal with masquerading GRE packets- so the VPN
MASQ patches need to be applied to your firewall kernel, not the PoPToP
server.

Steve Cowles

More information about the pptp-server mailing list