* NAT and VPN
@ 2004-06-03 16:53 Derek Storvik
2004-06-03 18:00 ` John A. Sullivan III
0 siblings, 1 reply; 4+ messages in thread
From: Derek Storvik @ 2004-06-03 16:53 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 965 bytes --]
I'm having trouble with NAT and VPN
I have a linux server running Fedora core 1 that is a
NAT/FIREWALL/VLAN/DHCP server for a large client network.
Internet
|
|
Linux
|
|
Large network with many vlans and 1000 nodes or so.
The internal network is natted to the 10.0.0.0 network and my clients
can not VPN out to the internet. Specifically they get back an error
619
What has to be done to allow VPN to traverse through the firewall and
NAT? at the moment the firewall rules are wide open to make sure that
isn't my issue.
Any help would be appreciated.
----------------------------------
Derek Storvik
Network & Systems Administrator
ConsulTech, LLC
Phone: 812.323.8324
Fax: 812.323.1272
E-mail: dstorvik@consultech.net <mailto:dstorvik@consultech.net>
1441 Fenbrook Lane
Bloomington, IN 47401
----------------------------------
[-- Attachment #2: Type: text/html, Size: 6954 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: NAT and VPN
2004-06-03 16:53 NAT and VPN Derek Storvik
@ 2004-06-03 18:00 ` John A. Sullivan III
0 siblings, 0 replies; 4+ messages in thread
From: John A. Sullivan III @ 2004-06-03 18:00 UTC (permalink / raw)
To: Derek Storvik; +Cc: netfilter
On Thu, 2004-06-03 at 12:53, Derek Storvik wrote:
> I’m having trouble with NAT and VPN
>
>
>
> I have a linux server running Fedora core 1 that is a
> NAT/FIREWALL/VLAN/DHCP server for a large client network.
>
>
>
> Internet
>
> |
>
> |
>
> Linux
>
> |
>
> |
>
> Large network with many vlans and 1000 nodes or so.
>
>
>
>
>
> The internal network is natted to the 10.0.0.0 network and my clients
> can not VPN out to the internet. Specifically they get back an error
> 619
>
> What has to be done to allow VPN to traverse through the firewall and
> NAT? at the moment the firewall rules are wide open to make sure
> that isn’t my issue.
<snip>
A few questions . . .
What type of VPN are they attempting to access?
I assume they are using some kind of VPN client and you are not talking
about a site to site connection. What client are they using?
If you are using an IPSec client, one either needs to give each a
dedicated one-to-one mapped public address or use NAT Traversal (must be
enabled on both sides of the connection).
Are you sure that the client is comfortable allowing people on the
inside to VPN to some connection on the outside? There is a real
possibility that whatever is on the other side will now be able to
access your client's internal network through the same VPN connection.
>
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: NAT and VPN
@ 2004-06-03 17:26 Aldo Lagana
0 siblings, 0 replies; 4+ messages in thread
From: Aldo Lagana @ 2004-06-03 17:26 UTC (permalink / raw)
To: 'Derek Storvik', netfilter
[-- Attachment #1: Type: text/plain, Size: 2225 bytes --]
What VPN? Cisco IPSec client? other IPSec clients? PoPToP?.....
yes it matters
for Poptop - there is a module ip_nat_pptp
I think for IPSec there are other netfilter modules to provide VPN over a
NAT connection.
The reason why is that VPN require that the packets are not touched (they
have a checksum stored within each packet which it checks against) and NAT
breaks that - it chanegs the packet thus changing the new checksum value
thus breaking the VPN.
so
you need to find out which vpn it is and you need to google if there is a
Netfilter module available for it.!
-----Original Message-----
From: Derek Storvik [mailto:dstorvik@consultech.net]
Sent: Thursday, June 03, 2004 12:53 PM
To: netfilter@lists.netfilter.org
Subject: NAT and VPN
I'm having trouble with NAT and VPN
I have a linux server running Fedora core 1 that is a
NAT/FIREWALL/VLAN/DHCP server for a large client network.
Internet
|
|
Linux
|
|
Large network with many vlans and 1000 nodes or so.
The internal network is natted to the 10.0.0.0 network and my clients can
not VPN out to the internet. Specifically they get back an error 619
What has to be done to allow VPN to traverse through the firewall and NAT?
at the moment the firewall rules are wide open to make sure that isn't my
issue.
Any help would be appreciated.
----------------------------------
Derek Storvik
Network & Systems Administrator
ConsulTech, LLC
Phone: 812.323.8324
Fax: 812.323.1272
E-mail: <mailto:dstorvik@consultech.net> dstorvik@consultech.net
1441 Fenbrook Lane
Bloomington, IN 47401
----------------------------------
Visit our website at http://www.p21.com/visit
The information in this e-mail is confidential and may contain legally
privileged information. It is intended solely for the person or entity to
which it is addressed. Access to this e-mail by anyone else is
unauthorized. If you are not the intended recipient, any disclosure,
copying, distribution, action taken, or action omitted to be taken in
reliance on it, is prohibited and may be unlawful. If you received this
e-mail in error, please contact the sender and delete the material from any
computer.
[-- Attachment #2: Type: text/html, Size: 10636 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: NAT and VPN
@ 2004-06-03 20:58 Derek Storvik
0 siblings, 0 replies; 4+ messages in thread
From: Derek Storvik @ 2004-06-03 20:58 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1738 bytes --]
________________________________
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Derek Storvik
Sent: Thursday, June 03, 2004 11:53 AM
To: netfilter@lists.netfilter.org
Subject: NAT and VPN
I'm having trouble with NAT and VPN
I have a linux server running Fedora core 1 that is a
NAT/FIREWALL/VLAN/DHCP server for a large client network.
Internet
|
|
Linux
|
|
Large network with many vlans and 1000 nodes or so.
The internal network is natted to the 10.0.0.0 network and my clients
can not VPN out to the internet. Specifically they get back an error
619
What has to be done to allow VPN to traverse through the firewall and
NAT? at the moment the firewall rules are wide open to make sure that
isn't my issue.
What VPN? Cisco IPSec client? other IPSec clients? PoPToP?.....
yes it matters
<snip>
It is PPTP. A windows client to a VPN server on a university campus.
Derek
________________________________
From: Aldo Lagana [mailto:ALagana@p21.com]
Sent: Thursday, June 03, 2004 2:43 PM
To: Derek Storvik
Subject: RE: NAT and VPN
then all you need to do is to either:
# modprobe ip_nat_pptp
OR
include NAT PPTP in your kernel configuration and recompile the kernel
works great for me!
Ok here is the stupid question. I do that and I get the following. What
all do I need to do? Path things? Recompile?
[root@Furies root]# modprobe ip_nat_pptp
modprobe: Can't locate module ip_nat_pptp
Thanks for the help
Derek
[-- Attachment #2: Type: text/html, Size: 12735 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-06-03 20:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-06-03 16:53 NAT and VPN Derek Storvik
2004-06-03 18:00 ` John A. Sullivan III
-- strict thread matches above, loose matches on Subject: below --
2004-06-03 17:26 Aldo Lagana
2004-06-03 20:58 Derek Storvik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.