Can't forward Win2k VPN through NAT

Can't forward Win2k VPN through NAT

[Roy Sigurd Karlsbakk]

hi all

I have this fw as sketched below. What I want, is to enable win2k VPN 
connection NATed into 192.168.144.24.

Can someone help me here? It just doesn't work ...

roy

        +------+
   eth2 |      | eth1
SHDSL --+  fw  +----------- LAN
        |      |
        +---+--+
       eth0 |
            |

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       udp  --  62.70.77.66          213.187.163.162    udp dpt:1723 \ 
to:192.168.144.24
DNAT       tcp  --  62.70.77.66          213.187.163.162    tcp dpt:3389 \ 
to:192.168.144.24:3389
DNAT       tcp  --  62.70.77.66          213.187.163.162    tcp dpt:1723 \ 
to:192.168.144.24:1723
DNAT       gre   --  62.70.77.66          213.187.163.162    to:192.168.144.24

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       47   --  192.168.144.24       0.0.0.0/0          to:213.187.163.162
MASQUERADE  all  --  192.168.0.0/16      !192.168.0.0/16


-- 
Roy Sigurd Karlsbakk, Datavaktmester
ProntoTV AS - http://www.pronto.tv/
Tel: +47 9801 3356

Computers are like air conditioners.
They stop working when you open Windows.

Re: Can't forward Win2k VPN through NAT

[Antony Stone]

On Friday 06 September 2002 1:42 pm, Roy Sigurd Karlsbakk wrote:

> hi all
>
> I have this fw as sketched below. What I want, is to enable win2k VPN
> connection NATed into 192.168.144.24.
>
> Can someone help me here? It just doesn't work ...

You;re right.   It doesn't work.

PPTP doesn't like being NATted, because it embeds addressing information 
inside the protocol.

You need to load the pptp helper module in netfilter to stand any chance of 
getting this going.   Look for pptp_conntrack_nat.

I think the sig on your email was highly appropriate to the situation, 
however:

"Computers are like air conditioners.
They stop working when you open Windows."

Antony.

-- 

You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.

 - Frank Skinner

RE: Can't forward Win2k VPN through NAT

[Don Woodruff]

[-- Attachment #1: Type: text/plain, Size: 1791 bytes --]

Is this really fair? While Windows uses pptp, I believe it is actually
RFC 2637. PopTop is a perfectly workable pptp solution for Linux -- so
pptp tunelling is not really a "Windows" issue. While I would prefer to
use IPSEC where possible, the same issues with NAT still exist (in a
similar config).
 
My point: Windows has enough flaws without us going out of our way to
engage in the sort of FUD that Redmond has established a reputation for.
Only be staying the course and refusing to engage in these tactics will
the Linux community be able to avoid losing credibility the same way the
MS guys have.
 
Don (disclaimer: I could be wrong)
 
P.S. My fave taglines (although I don't use them):
 
"If your only tool is a hammer, Every job will look like a nail" AND
"People run applications, not operating systems"
 
In my days as an SCO Unix Instructor, I used to tack the first one up on
the wall before I started the first day, and as an IT Director, the
second was my mantra (to avoid evangelism and keep my guys focused on
problem-solving).
 
As a business-owner, my new focus is "whatever provides the greatest
profit margin coupled with the most satisfactory experience for the
customer".
 
Don
 
> -----Original Message-----
> From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk]
> Sent: Friday, September 06, 2002 10:22 AM
> To: Netfilter mailinglist
> Subject: Re: Can't forward Win2k VPN through NAT
> 
> You need to load the pptp helper module in netfilter to stand any 
> chance of
> getting this going.   Look for pptp_conntrack_nat.
> 
> I think the sig on your email was highly appropriate to the situation,
> however:
> 
> "Computers are like air conditioners.
> They stop working when you open Windows."
> 
> Antony.
> 
 

[-- Attachment #2: Type: text/html, Size: 12991 bytes --]

Re: Can't forward Win2k VPN through NAT

[Zoilo]

On Friday 06 September 2002 18:17, Don Woodruff wrote:
> P.S. My fave taglines (although I don't use them):
>
> "If your only tool is a hammer, Every job will look like a nail" AND
> "People run applications, not operating systems"
>
> In my days as an SCO Unix Instructor, I used to tack the first one up on
> the wall before I started the first day, and as an IT Director, the
> second was my mantra (to avoid evangelism and keep my guys focused on
> problem-solving).
>
> As a business-owner, my new focus is "whatever provides the greatest
> profit margin coupled with the most satisfactory experience for the
> customer".

Now I understand what put you in such a nostalgic mood.......!

-- 
Z (ex business-owner).
----------------------------------------------------------
"If all you have is a hammer, everything looks like a nail."

Re: Can't forward Win2k VPN through NAT

[Antony Stone]

On Friday 06 September 2002 5:15 pm, Don Woodruff wrote:

> Is this really fair? While Windows uses pptp, I believe it is actually
> RFC 2637. PopTop is a perfectly workable pptp solution for Linux -- so
> pptp tunelling is not really a "Windows" issue. While I would prefer to
> use IPSEC where possible, the same issues with NAT still exist (in a
> similar config).

I agree that PPTP is an independent standard, and not a M$-developed
protocol, however I consider it to be by far an inferior way to set up a VPN
than IPsec, and therefore I disapprove of Win2k for having provided users
with PPTP and not IPsec.

Also, I believe that PPTP has significantly greater problems than IPsec with
NAT.   Basically IPsec in transport mode does not work through NAT at all,
but IPsec in tunnel mode works without any need for helpers etc.   As far as
I'm aware, there are limitations on the number of concurrent PPTP sessions
you can maintain through a single NAT device (because of the address
information embedded in PPTP, not because of anything to do with the device),
whereas there is no such limitation with IPsec in tunnel mode.

> As a business-owner, my new focus is "whatever provides the greatest
> profit margin coupled with the most satisfactory experience for the
> customer".

I'm afraid here again I'm going to use Microsoft as an example that these two
objectives can easily turn out to be mutually exclusive (or at least,
competing rivals).

Antony.

--

Abandon hope, all ye who enter here.
You'll feel much better about things once you do.

RE: Can't forward Win2k VPN through NAT

[Don Woodruff]

> 
> I agree that PPTP is an independent standard, and not a M$-developed
> protocol, however I consider it to be by far an inferior way to set up
a
> VPN
> than IPsec, and therefore I disapprove of Win2k for having provided
users
> with PPTP and not IPsec.
> 
> Also, I believe that PPTP has significantly greater problems than
IPsec
> with
> NAT.   Basically IPsec in transport mode does not work through NAT at
all,
> but IPsec in tunnel mode works without any need for helpers etc.   As
far
> as
> I'm aware, there are limitations on the number of concurrent PPTP
sessions
> you can maintain through a single NAT device (because of the address
> information embedded in PPTP, not because of anything to do with the
> device),
> whereas there is no such limitation with IPsec in tunnel mode.


Agreed -- IPSEC is better. Again -- it is the protocol that is lacking.
 
> > As a business-owner, my new focus is "whatever provides the greatest
> > profit margin coupled with the most satisfactory experience for the
> > customer".
> 
> I'm afraid here again I'm going to use Microsoft as an example that
these
> two
> objectives can easily turn out to be mutually exclusive (or at least,
> competing rivals).

Hmmm, I'd have to say that this is more the reseller/consultant's fault
than MS'. The biggest contributor to the aforementioned conflict is the
VAR/reseller who sells one line of solutions (more often than not
Windows, since it is easy and requires minimal technical expertise),
rather than the vendor. If I made a crappy car that everybody loved and
bought in droves, what impetus would I have to improve it? People
continue to buy cars, despite the fact that it is highly likely that the
car & oil merchants have kept innovation to a minimum in order to sell
more units. Unfortunately there is no open-source auto manufacturer :)

RE: Can't forward Win2k VPN through NAT

[Stewart Thompson]

Hi Antony:

	Off the top of your head, do you know what the first
Version of iptables that pptp_conntrack_nat was implemented?

Stu..........


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
Sent: September 6, 2002 7:22 AM
To: Netfilter mailinglist
Subject: Re: Can't forward Win2k VPN through NAT

On Friday 06 September 2002 1:42 pm, Roy Sigurd Karlsbakk wrote:

> hi all
>
> I have this fw as sketched below. What I want, is to enable win2k VPN
> connection NATed into 192.168.144.24.
>
> Can someone help me here? It just doesn't work ...

You;re right.   It doesn't work.

PPTP doesn't like being NATted, because it embeds addressing information
inside the protocol.

You need to load the pptp helper module in netfilter to stand any chance of
getting this going.   Look for pptp_conntrack_nat.

I think the sig on your email was highly appropriate to the situation,
however:

"Computers are like air conditioners.
They stop working when you open Windows."

Antony.

--

You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.

 - Frank Skinner

Re: Can't forward Win2k VPN through NAT

[Antony Stone]

On Friday 06 September 2002 10:13 pm, Stewart Thompson wrote:

> Hi Antony:
>
> 	Off the top of your head, do you know what the first
> Version of iptables that pptp_conntrack_nat was implemented?

No idea - sorry.

All I can say is that I've seen many postings on this list over the weeks and 
months about people trying to get PPTP working effectively (especially 
through iptables and NAT), so you should be able to find plenty of 
information in the archives at http://lists.netfilter.org/pipermail/netfilter

Antony.

-- 

This is not a rehearsal.
This is Real Life.

RE: Can't forward Win2k VPN through NAT

[Stewart Thompson]

HI Antony:

	I have seen the same posts, and judging by the replies,
or lack thereof. It is generally been a dismal failure. I don't have
a pressing need for VPN right now, but I can see the possibility
in the future, so I have been following the discussion. Thanks.

Stu..........


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
Sent: September 6, 2002 2:22 PM
To: Netfilter mailinglist
Subject: Re: Can't forward Win2k VPN through NAT

On Friday 06 September 2002 10:13 pm, Stewart Thompson wrote:

> Hi Antony:
>
>       Off the top of your head, do you know what the first
> Version of iptables that pptp_conntrack_nat was implemented?

No idea - sorry.

All I can say is that I've seen many postings on this list over the weeks
and
months about people trying to get PPTP working effectively (especially
through iptables and NAT), so you should be able to find plenty of
information in the archives at
http://lists.netfilter.org/pipermail/netfilter

Antony.

--

This is not a rehearsal.
This is Real Life.

Re: Can't forward Win2k VPN through NAT

[Jeff McAdams]

[-- Attachment #1: Type: text/plain, Size: 1353 bytes --]

Also Sprach Antony Stone
>On Friday 06 September 2002 5:15 pm, Don Woodruff wrote:
>> Is this really fair? While Windows uses pptp, I believe it is
>> actually RFC 2637. PopTop is a perfectly workable pptp solution for
>> Linux -- so pptp tunelling is not really a "Windows" issue. While I
>> would prefer to use IPSEC where possible, the same issues with NAT
>> still exist (in a similar config).

>I agree that PPTP is an independent standard, and not a M$-developed
>protocol,

No, PPTP is indeed a MS-developed thing.  The RFC for PPTP (and I can't
confirm that 2637 is right, but have no reason to doubt that) is
"Informational", meaning that it hasn't gone through the IETF process of
standard development and can be quite a crappy protocol (which it is,
IMO).  For reference, PPPoE is also an informational protocol, L2TP is a
Standards Track (so it has gone through the IETF process).

>however I consider it to be by far an inferior way to set up
>a VPN than IPsec, and therefore I disapprove of Win2k for having
>provided users with PPTP and not IPsec.

You also might consider IPSec along with L2TP depending on your needs.
-- 
Jeff McAdams                            Email: jeffm@iglou.com
Head Network Administrator              Voice: (502) 966-3848
IgLou Internet Services                        (800) 436-4456

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]