Re: iptables PPTP p-o-m patch info

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I've had problems with checkpoint & PPTP before. Basically I found out that checkpoint cannot forward PPTP then GRE packets to internal IP's for some reason. I ended up setting up the PPTP server on the checkpoint firewall itself.

This lack of support for PPTP was actually documented on the checkpoint site

Aldo Lagana wrote:
the pptp-conntrack patch from p-o-m works wonderfully for me - clients
on private addresses (192.168.x.x for me) can use their windows (ew!)
VPN connections they've setup to connect (just as NAT clients through my
iptables & patched gateway) to PPTP servers out on the Internet.  So
yes, they are getting NATted, but the PPTP sessions still work - that is
the whole reason for the patch!

If this is what you need, then that is the patch that will work for you.
The problem I see is the Checkpoint VPN - is that a 100% PPTP VPN
server?  Because the pptp patch will not work for IPSec or other
non-PPTP VPNs.


-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx 
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of 
James O'Gorman
Sent: Monday, March 24, 2003 3:24 PM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: iptables PPTP p-o-m patch info


Hi,

I'm after a bit more info on this patch, as there doesn't 
seem to be much mentioned about it on the netfilter.org site, 
or in the p-o-m help. I've got an ADSL connection with a 
single static IP, and we're thinking about having a linux box 
using iptables to NAT the connection to the internal LAN.

One of the computers on the LAN uses Check Point VPN-1 
SecuRemote to connect to a corporate n
etwork, but with our 
current setup (using a ZyXEL Prestige ADSL router) this isn't 
possible - the user has to unplug the router and use the USB 
ADSL modem plugged directly into his PC, meaning the rest of 
the network loses the Internet connection, which, obviously 
is inconvenient. We think this fails to work because of the 
router re-writing the packet headers, and the VPN software 
not liking this (it's a security risk).

Does the PPTP patch for iptables allow this to work properly? 
ie, if 192.168.0.1 was the internet gateway (ppp0 for 
Internet and eth0 for
LAN) and 192.168.0.4 needed to use VPN using 0.1 as the 
gateway instead of unplugging the gateway from the ADSL, 
would this work, or would it fail, for the same reasons it 
failed using the ZyXEL router?

Thanks,

James

-- 
James O'Gorman
email: james@xxxxxxxxxxxxxxxx 
| web: www.netinertia.co.uk
What is food to one, is to others bitter poison.
		-- Titus Lucretius Carus




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux