VPN NAT && 2.4 kernel

VPN NAT && 2.4 kernel

Post by /dev/nul » Sun, 18 Aug 2002 01:47:40



John D. Hardin's VPN masq HOWTO
(http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html) states he's not sure
about the state of vpn masq on the 2.4 kernel.

I'm currently looking to upgrade my 2.2 kernel to the 2.4 and I run VPN masq
with ipchains.

To do VPN NAT/MASQ with the 2.4 kernel, will I have to patch it?  Are there
any resources on this?

Thanks!

 
 
 

VPN NAT && 2.4 kernel

Post by Steve Cowle » Sun, 18 Aug 2002 04:23:09



> John D. Hardin's VPN masq HOWTO
> (http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html) states he's not sure
> about the state of vpn masq on the 2.4 kernel.

> I'm currently looking to upgrade my 2.2 kernel to the 2.4 and I run VPN
masq
> with ipchains.

> To do VPN NAT/MASQ with the 2.4 kernel, will I have to patch it?  Are
there
> any resources on this?

If your simply wanting to establish a single outbound PPTP/IPSEC (esp) VPN
from behind your firewall, then the 2.4.x kernel/netfilter package works
fine without any patches. At least I've had no problems and I'm running
stock 2.4.x kernels on my firewall without any patches.

If your wanting to establish multiple outbound VPN's from behind your
firewall, then my understanding is you will need to apply the connection
tracking patch mentioned at John Hardin's website.

Also, I believe the above rules apply if your wanting to masquerade a VPN
server behind your firewall. FWIW: I run a masq PPTP server behind my
2.4.x/iptables based firewall, but I have not tried to simultainiosly
connect from two different ip address. Maybe someone else can verify this.

As far as resources, I use "shorewall" to configure iptables. Checkout:
www.shorewall.net The Documentation for shorewall contains a chapter on
VPN's which might help you in your quest to migrate from 2.2.x to 2.4.x

Steve Cowles
remove the _ to reply

 
 
 

VPN NAT && 2.4 kernel

Post by /dev/nul » Sun, 18 Aug 2002 14:13:00


Quote:> If your simply wanting to establish a single outbound PPTP/IPSEC (esp) VPN
> from behind your firewall, then the 2.4.x kernel/netfilter package works
> fine without any patches. At least I've had no problems and I'm running
> stock 2.4.x kernels on my firewall without any patches.

Excellent.  Thank you.

Quote:> If your wanting to establish multiple outbound VPN's from behind your
> firewall, then my understanding is you will need to apply the connection
> tracking patch mentioned at John Hardin's website.

Ah yes, on occasion I have two internal boxes that connect to VPN on the
Internet through my Linux NAT.  I'll look into the patch.  Thanks again.

Quote:> Also, I believe the above rules apply if your wanting to masquerade a VPN
> server behind your firewall. FWIW: I run a masq PPTP server behind my
> 2.4.x/iptables based firewall, but I have not tried to simultainiosly
> connect from two different ip address. Maybe someone else can verify this.

What about running a VPN on the firewall box?  No masq or NAT required, so I
expect no problems, correct?

Quote:> As far as resources, I use "shorewall" to configure iptables. Checkout:
> www.shorewall.net The Documentation for shorewall contains a chapter on
> VPN's which might help you in your quest to migrate from 2.2.x to 2.4.x

wow, don't think I had ever seen shorewall before.  Looks promising.  Thanks
again.

well, I've already thanked you three times, here's the rest I owe:

thanks a 999,997!

 
 
 

VPN NAT && 2.4 kernel

Post by Steve Cowle » Sun, 18 Aug 2002 21:05:44



> > Also, I believe the above rules apply if your wanting to masquerade a
> > VPN server behind your firewall. FWIW: I run a masq PPTP server
> > behind my 2.4.x/iptables based firewall, but I have not tried to
> > simultaneously connect from two different ip address. Maybe someone
> > else can verify this.

> What about running a VPN on the firewall box?  No masq or NAT
> required, so I expect no problems, correct?

That's correct.

Quote:

> > As far as resources, I use "shorewall" to configure iptables. Checkout:
> > www.shorewall.net The Documentation for shorewall contains a chapter on
> > VPN's which might help you in your quest to migrate from 2.2.x to 2.4.x

> wow, don't think I had ever seen shorewall before.  Looks promising.
> Thanks again.

> well, I've already thanked you three times, here's the rest I owe:

> thanks a 999,997!

:-) Good Luck

Steve Cowles
remove the _ to reply