Hi, Thanks for your reply re: my problem.
probably the most important thing you can tell me is if I have to appy any patches or modules in order to make this work. There is a heck of alot of differing opinions on the various forums and im not sure which way to turn. I just want to rule this out knowing that it is essentially native in a standard kernel and it should be just a configuration issue.
Cheers Jamie
From: Wim Ceulemans <wim.ceulemans@xxxxxxx> To: Jamie Vuyk <jvuyk@xxxxxxxxxxxxxx> CC: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: GRE/PPTP Pass-through problems Date: Thu, 04 Sep 2003 14:14:57 +0200
Hi
I had the same problems with GRE not passing through to a server behind the firewall.
I then used kernel 2.4.22 and the latest pom snapshot (patch-o-matic-20030831) with iptables 1.2.8
and gre passed through.
However, after testing I notice now that although PPTP connections to a win2000 server behind the
firewall work, that the connection is not reliable. After 3 to 4 minutes the connection is closed for
some unknown reason and people have to re-establish the connection.
Anyone experiencing this problem also?
Regards Wim
Jamie Vuyk wrote:
Hello,
I hope this will be a simple post that can lay to rest what a lot of people appear to be having trouble with. I have read a massive amount of posts all over the web and there seems to be much confusion in this simple matter.
Basically there are two aspects to my problems:
1) Does the standard kernel (RH 2.4.18) need to be patched in any way in order to PASS THROUGH proto 47 (GRE) to an internal server? Im running a simply iptables firewall which I want to pass an external PPTP VPN connection through to an internal server. It is most important to note that the firewall is masquerading all connections which I think is where the confusion lies. As I understand if I want Linux to terminate the PPTP VPN I need a patch, if I want it to pass through I don't. However I am having a lot of trouble getting this to work and I would like to know if Im on the right track.
2) Given that I don't have to patch anything and it all should "just work"... I have setup my firewall to allow and forward the 1723 to my internal server. This appears to work but the external Win2k box gets stuck on "verifying username and password". This eventually times out with "disconnected". A simple test was to Telnet to port 1723. Although there is no response as such from the server (expected) it does connect with a blank screen both internally and externally suggesting the forwarding is working ok. At what point does the 1723 data exchange end and the "payload" as such start on the GRE protocol? Is GRE involved in the 'verifying username and password' stage or is that still TCP on 1723? Just so you are aware I have the rest of the firewall fully operational with various port forwards etc that work fine. It is essentially only the VPN's that are giving me grief.
If you could get some basic info I maybe able to troubleshoot this and get it operational.
Cheers in advance for you help.
J
-- Wim Ceulemans R&D Engineer
Secure Internet Communication with aXs Guard
Able NV Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09 E-mail: wim.ceulemans@xxxxxxx
-- Security check on this e-mail has been done by aXs GUARD (http://www.axsguard.com)
_________________________________________________________________
Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger
