On Fri, 2004-03-12 at 11:40, peter.gehle@xxxxxxxxx wrote: > Hi, > > since two weeks i try to create rules for my iptables fw who > let pass an vpn tunnel to my internel ms vpn server (pptp). > i have installed the kernel 2.4.25 and patched it with patch-o-matic (only the > pptp/gre patch aplied). > > i load the ip_conntrack_pptp, ip_conntrack_proto_gre, ip_nat_pptp and ip_nat_proto_gre modules, > and my script looks so: > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to-destination 192.168.1.2 > iptables -A FORWARD -i eth0 -m state --state NEW -p tcp -d 192.168.1.2 --dport 1723 -j ACCEPT > iptables -A FORWARD -i eth0 -m state --state NEW -p GRE -d 192.168.1.2 -j ACCEPT > iptables -t nat -A PREROUTING -i eth0 -p GRE -j DNAT --to-destination 192.168.1.2 > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > iptables -I FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT > > So whats wrong, becaus i can connect to the vpn server behind the firewall, but the > connection hangs at the authentification. after some minutes i receive an message that > the server does not respond. > Micro$oft has a 'technote' on this in their technet section on the website. AFAIR you need to allow protocol 37 to be forwarded between the two. > netstat say this: > netstat-nat -d 192.168.1.2 > Proto NATed Address Foreign Address State > tcp p42821a5e.dip.t-dialin.ne:4394 192.168.1.2:1723 ESTABLISHED > tcp p42821a5e.dip.t-dialin.ne:4392 192.168.1.2:1723 TIME_WAIT > > Scheme of my network: > vpn-client -> hw-router -> internet -> hw-router -> firewall -> vpn-server > > so whats going wrong? > > Thanx Peter -- -- Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
Attachment:
signature.asc
Description: This is a digitally signed message part
