Microsoft PPTP VPN and MASQ (IPCHAINS) problem

Microsoft PPTP VPN and MASQ (IPCHAINS) problem

Post by Alexis » Tue, 28 Nov 2000 04:00:00



Hello

My configuration is as follows:

$EXTIP <----> $EXTIF(eth0) firewall $INTIF(eth1) <----->$INTIP ------
192.168.1.2 (Windows 2000 Server)

My firewall is running Redhat Linux 2.2.14 with the VPN patch. I use an
IPCHAINS and portfw firewall configuration.

I have setup my Windoze 2000 Server machine to listen for incoming VPN
connections, and I have tested that it works by setting up a VPN from
another machine in the internal LAN (doesnt make sense to do, but at least I
know the Server is authenticating and connecting correctly).

It seems my firewall setup has something wrong, I'd appreciate it if you
could have a look at what I'm doing and tell me if there's something wrong:

/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $EXTIP 1723
/sbin/ipchains -A input -j ACCEPT -p 47 -s $UNIVERSE -d $EXTIP

/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP -d $UNIVERSE 1723 -i
$EXTIF
/sbin/ipchains -A output -j ACCEPT -p 47 -s $EXTIP -d $UNIVERSE -i $EXTIF

/sbin/ipchains -A forward -j MASQ -p tcp -s 192.168.1.2 -d $UNIVERSE 1723 -i
$EXTIF
/sbin/ipchains -A forward -j MASQ -p 47 -s 192.168.1.2 -d $UNIVERSE -i
$EXTIF

/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 1723 -R $192.168.1.2 1723
/usr/sbin/ipfwd --masq 192.168.1.2 >/dev/null 2>&1 &

Where: $EXTIP is Public IP address
$EXTIF is public interface
$UNIVERSE = 0.0.0.0/0
192.168.1.2 is internal IP of Windows 2000 Server

When I use a windows 2000 professional machine to connect to the public IP
address of my firewall and set up a VPN, it hangs at "Verifying username and
password", then says "remote computer is not responding".

Any help would be much appreciated

Alexis M
< a l e x _ m 7 4   at   h o t m a i l   dot   c o m >

 
 
 

Microsoft PPTP VPN and MASQ (IPCHAINS) problem

Post by Alex » Tue, 28 Nov 2000 04:00:00


Quote:> /usr/sbin/ipfwd --masq 192.168.1.2 >/dev/null 2>&1 &

should read

/usr/sbin.ipfwd --masq 192.168.1.2 47 >/dev/null 2>&1 &

(i.e. the '47' was missing)

This was a typo in my NG posting, *not* my firewall script.

Alexis M
< a l e x _ m 7 4   at   h o t m a i l   dot   c o m >