> > I do this all the time with the Win32 PGPnet IPsec VPN client through my
> > linux NAT router. From your description of the protocols and ports, it
> > sounds like you are using, instead, Microsoft's PPTP VPN technology.
> > In either case, as has been mentioned, the key is to get "passthrough"
> > enabled on your router. In the linux world, this means adding VPN-
> > Masquerade (see <http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html>).
> > This document describes both IPsec and PPTP passthrough. I only have
> > experience with the IPsec part, but I can vouch for the fact that it
> > works.
> > Paul
> Paul - thanks for the response. I have a few questions:
> 1. Have you ever tried this with the default W2K VPN client setup?
No. The W2K VPN is PPTP and I've only used IPsec.
Quote:> 2. If I use the PGP VPN client, does the remote server have to use a
> PGP-based solution as well?
No. But it must be IPsec. Note that it is my understanding that IPsec,
in general, has quite a few interoperability issues between different
vendors. I also have been told that PGPnet is one of the better clients
in terms of interoperability with different firewall/gateway vendors.
If you've already got the PPTP VPN setup and working correctly (except
for this NAT problem), then I'd try installing the VPN Masquerade patch
before trying to switch VPNs.
Quote:> 3. Which distro and version (and kernel version) are you using? Which
> firewall are you using (ipchains, iptables, etc)? Any patches applied? Could
> you possibly send me a copy of your firewall shell? (note that there is no
> "2" in my real email domain name - anti-spam).
I'm using ipchains on a Debian 2.2. The kernel is 2.2.19 patched for
VPN Masquerade as described in the HOWTO I referenced. There is no
special configuration of the ipchains rules needed. Just the patch.
You may not need the patch if it has already been incorporated into your
distribution, but I don't know which kernel you're using. The HOWTO
says RedHat kernels 2.2.16-8 and later in the 2.2.x series already
contain the patch (note that it doesn't say anything about RedHat 2.4.x
kernels). I use Debian so I don't know much of anything about RedHat.
Quote:> 4. The VPN Masquerade HOWTO you recommend
> (http://www.impsec.org/linux/masquerade/ip_masq_vpn.html) states that in
> order to allow a VPN _client_ to work from the NATted LAN, "no other
> software is needed to masquerade VPN clients" other than IP_MASQUERADE,
> which I assume I have correctly installed as I have no other known problem
> with NATting. The patches mentioned on the page seem to refer only to
> running a VPN _server_ from behind the firewall.
You *do* need the patch to run a *client* from behind the firewall with
a 2.2.x kernel. Maybe not on a 2.4.x kernel. I only have experience
with 2.2.x kernels. For this version, having IP_MASQUERADE is not
enough. I was also confused by this at first, but if you re-read that
HOWTO about 5 times, it will eventually become clear.
Paul