RE: VPN through the firewall

All of lore.kernel.org
 help / color / mirror / Atom feed

* RE: VPN through the firewall
@ 2005-03-02 22:47 Gary W. Smith
  2005-03-03 21:57 ` Marty Phee
  0 siblings, 1 reply; 9+ messages in thread
From: Gary W. Smith @ 2005-03-02 22:47 UTC (permalink / raw)
  To: Marty Phee, netfilter

Marty, 

If you are NAT'ing you will need to check out the pptp conntrack modules which would probably require a kernel recompile.

Gary Smith

________________________________

From: netfilter-bounces@lists.netfilter.org on behalf of Marty Phee
Sent: Wed 3/2/2005 2:33 PM
To: netfilter@lists.netfilter.org
Subject: VPN through the firewall

I've got a SUSE box running my home firewall and a WinXP work machine
that I use to VPN into the office network.  Before I put this SUSE 9.2
in I had a Mandrake 9.1 box that worked just fine.

Everything but my VPN connection to the office works.

I've added all kinds of rules to try to get this to work, but nothings
working.  I don't see any packets getting dropped/rejected.  It looks
like it makes the connection to the vpn server, but it's not verifying
the password.

With Ethereal I see this:
Source: 129.230.241.140
Destination: 192.168.0.73
Protocol: EAP
Info: Request, EAP-TLS [RFC2716] [Aboba]

That line just keeps repeating until it timesout with a 619 on the
windows machine.

Help would be greatly appreciated!

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: VPN through the firewall
  2005-03-02 22:47 VPN through the firewall Gary W. Smith
@ 2005-03-03 21:57 ` Marty Phee
  0 siblings, 0 replies; 9+ messages in thread
From: Marty Phee @ 2005-03-03 21:57 UTC (permalink / raw)
  To: netfilter

ip_conntrack is there.  Is that the same?

ip6t_state              2304  23
ip6_conntrack          43744  1 ip6t_state
ipt_state               2432  35
ip6t_REJECT             7936  3
ipt_REJECT              7680  3
iptable_mangle          3456  1
iptable_filter          3584  1
ip6table_mangle         3200  0
ip_nat_ftp              6096  0
iptable_nat            25804  1 ip_nat_ftp
ip_conntrack_ftp       73712  1 ip_nat_ftp
ip_conntrack           49312  4 
ipt_state,ip_nat_ftp,iptable_nat,ip_conntrack_ftp
ip_tables              18944  10 
ipt_TOS,ipt_policy,ipt_LOG,ipt_limit,ipt_pkttype,ipt_state,ipt_REJECT,iptable_mangle,iptable_filter,iptable_nat
ip6table_filter         3328  1
ip6_tables             20112  6 
ip6t_LOG,ip6t_limit,ip6t_state,ip6t_REJECT,ip6table_mangle,ip6table_filter
ipv6                  264096  23 ip6_conntrack,ip6t_REJECT



^ permalink raw reply	[flat|nested] 9+ messages in thread

* RE: VPN through the firewall
@ 2005-03-04  5:47 Gary W. Smith
  0 siblings, 0 replies; 9+ messages in thread
From: Gary W. Smith @ 2005-03-04  5:47 UTC (permalink / raw)
  To: Gary W. Smith, Marty Phee, netfilter; +Cc: James Cameron


Here is some additional details regarding the problem:

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=275

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=302

My problem is though RHEL3 is based on 2.4 its network is based on 2.6
which screws things up.  RHEL4 is based on 2.6 but it doesn't work there
either.  The 2.4.29 works but it kills all of the RHEL3 applications
because of an incompatibility with glibc.

If you have an older kernel that you can go back to or if you can use
the vanilla kernel under 2.4.29 then you can get it to work.  Otherwise
we will have to await the changes from the Netfilter team.  Phil and
Harold have been a big help in getting to the cause (and getting me some
additional experience in compiling kernels).

Gary 

> -----Original Message-----
> From: Gary W. Smith
> Sent: Thursday, March 03, 2005 9:39 PM
> To: 'Marty Phee'; 'netfilter@lists.netfilter.org'
> Cc: 'James Cameron'; 'opie@817west.com'
> Subject: RE: VPN through the firewall
> 
> It's odd but for some reasons it only fails with Microsoft PPTP
> implementation.  It seems to be too picky about something.
Unfortunately
> my c skills are rusty and I'm usually strapped for time otherwise I
would
> delve into it and try to help them out.
> 
> I'm inclined to include James Cameron in this (from the pptp and
poptop
> sites) as he seems to have a much better understanding of the protocol
> than I do.  Maybe he can help out so we can try to implement the
> functionality in the 2.6 kernel.
> 
> Gary
> 
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> > bounces@lists.netfilter.org] On Behalf Of Marty Phee
> > Sent: Thursday, March 03, 2005 3:22 PM
> > To: netfilter@lists.netfilter.org
> > Subject: Re: VPN through the firewall
> >
> >  > Gary W. Smith can speak to this much better than myself, but 2.6
+
> >  > pptp/gre conntrack/nat is not a winning combo, AFAIK...
> >
> > That sucks.  Why exactly?  What causes problems.
> >


^ permalink raw reply	[flat|nested] 9+ messages in thread

* RE: VPN through the firewall
@ 2005-03-04  5:39 Gary W. Smith
  0 siblings, 0 replies; 9+ messages in thread
From: Gary W. Smith @ 2005-03-04  5:39 UTC (permalink / raw)
  To: Marty Phee, netfilter; +Cc: James Cameron

It's odd but for some reasons it only fails with Microsoft PPTP
implementation.  It seems to be too picky about something.
Unfortunately my c skills are rusty and I'm usually strapped for time
otherwise I would delve into it and try to help them out.

I'm inclined to include James Cameron in this (from the pptp and poptop
sites) as he seems to have a much better understanding of the protocol
than I do.  Maybe he can help out so we can try to implement the
functionality in the 2.6 kernel.

Gary 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Marty Phee
> Sent: Thursday, March 03, 2005 3:22 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: VPN through the firewall
> 
>  > Gary W. Smith can speak to this much better than myself, but 2.6 +
>  > pptp/gre conntrack/nat is not a winning combo, AFAIK...
> 
> That sucks.  Why exactly?  What causes problems.
> 

^ permalink raw reply	[flat|nested] 9+ messages in thread

* VPN through the firewall
@ 2005-03-02 22:33 Marty Phee
  2005-03-02 23:22 ` Jason Opperisano
  0 siblings, 1 reply; 9+ messages in thread
From: Marty Phee @ 2005-03-02 22:33 UTC (permalink / raw)
  To: netfilter

I've got a SUSE box running my home firewall and a WinXP work machine 
that I use to VPN into the office network.  Before I put this SUSE 9.2 
in I had a Mandrake 9.1 box that worked just fine.

Everything but my VPN connection to the office works.

I've added all kinds of rules to try to get this to work, but nothings 
working.  I don't see any packets getting dropped/rejected.  It looks 
like it makes the connection to the vpn server, but it's not verifying 
the password.

With Ethereal I see this:
Source: 129.230.241.140
Destination: 192.168.0.73
Protocol: EAP
Info: Request, EAP-TLS [RFC2716] [Aboba]

That line just keeps repeating until it timesout with a 619 on the 
windows machine.

Help would be greatly appreciated!

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: VPN through the firewall
  2005-03-02 22:33 Marty Phee
@ 2005-03-02 23:22 ` Jason Opperisano
  2005-03-03 21:56   ` Marty Phee
  0 siblings, 1 reply; 9+ messages in thread
From: Jason Opperisano @ 2005-03-02 23:22 UTC (permalink / raw)
  To: netfilter

On Wed, 2005-03-02 at 17:33, Marty Phee wrote:
> I've got a SUSE box running my home firewall and a WinXP work machine 
> that I use to VPN into the office network.  Before I put this SUSE 9.2 
> in I had a Mandrake 9.1 box that worked just fine.
> 
> Everything but my VPN connection to the office works.

by VPN, do you mean PPTP?

-j

--
"Beer. Now there's a temporary solution."
	--The Simpsons



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: VPN through the firewall
  2005-03-02 23:22 ` Jason Opperisano
@ 2005-03-03 21:56   ` Marty Phee
  2005-03-03 22:29     ` Jason Opperisano
  0 siblings, 1 reply; 9+ messages in thread
From: Marty Phee @ 2005-03-03 21:56 UTC (permalink / raw)
  To: netfilter

Yes, PPTP I believe.

Jason Opperisano wrote:
> On Wed, 2005-03-02 at 17:33, Marty Phee wrote:
> 
>>I've got a SUSE box running my home firewall and a WinXP work machine 
>>that I use to VPN into the office network.  Before I put this SUSE 9.2 
>>in I had a Mandrake 9.1 box that worked just fine.
>>
>>Everything but my VPN connection to the office works.
> 
> 
> by VPN, do you mean PPTP?
> 
> -j
> 
> --
> "Beer. Now there's a temporary solution."
> 	--The Simpsons
> 
> 
> 



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: VPN through the firewall
  2005-03-03 21:56   ` Marty Phee
@ 2005-03-03 22:29     ` Jason Opperisano
  2005-03-03 23:22       ` Marty Phee
  0 siblings, 1 reply; 9+ messages in thread
From: Jason Opperisano @ 2005-03-03 22:29 UTC (permalink / raw)
  To: netfilter

On Thu, Mar 03, 2005 at 03:56:12PM -0600, Marty Phee wrote:
> Yes, PPTP I believe.

mmm hmmm...

> Jason Opperisano wrote:
> >On Wed, 2005-03-02 at 17:33, Marty Phee wrote:
> >
> >>I've got a SUSE box running my home firewall and a WinXP work machine 
> >>that I use to VPN into the office network.  Before I put this SUSE 9.2 

suse 9.2 == 2.6 kernel-based

> >>in I had a Mandrake 9.1 box that worked just fine.

mandrake 9.1 == 2.4 kernel-based

mandrake also had a tendency to ship the pptp/gre conntrack/nat kernel
modules as part of their kernels...

Gary W. Smith can speak to this much better than myself, but 2.6 +
pptp/gre conntrack/nat is not a winning combo, AFAIK...

-j

--
"Alright brain, you don't like me and I don't like you. But let's just
 get through this and then I can get back to killing you with beer."
        --The Simpsons


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: VPN through the firewall
  2005-03-03 22:29     ` Jason Opperisano
@ 2005-03-03 23:22       ` Marty Phee
  0 siblings, 0 replies; 9+ messages in thread
From: Marty Phee @ 2005-03-03 23:22 UTC (permalink / raw)
  To: netfilter

 > Gary W. Smith can speak to this much better than myself, but 2.6 +
 > pptp/gre conntrack/nat is not a winning combo, AFAIK...

That sucks.  Why exactly?  What causes problems.

Jason Opperisano wrote:
> On Thu, Mar 03, 2005 at 03:56:12PM -0600, Marty Phee wrote:
> 
>>Yes, PPTP I believe.
> 
> 
> mmm hmmm...
> 
> 
>>Jason Opperisano wrote:
>>
>>>On Wed, 2005-03-02 at 17:33, Marty Phee wrote:
>>>
>>>
>>>>I've got a SUSE box running my home firewall and a WinXP work machine 
>>>>that I use to VPN into the office network.  Before I put this SUSE 9.2 
> 
> 
> suse 9.2 == 2.6 kernel-based
> 
> 
>>>>in I had a Mandrake 9.1 box that worked just fine.
> 
> 
> mandrake 9.1 == 2.4 kernel-based
> 
> mandrake also had a tendency to ship the pptp/gre conntrack/nat kernel
> modules as part of their kernels...
> 
> Gary W. Smith can speak to this much better than myself, but 2.6 +
> pptp/gre conntrack/nat is not a winning combo, AFAIK...
> 
> -j
> 
> --
> "Alright brain, you don't like me and I don't like you. But let's just
>  get through this and then I can get back to killing you with beer."
>         --The Simpsons
> 
> 



^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2005-03-04  5:47 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-02 22:47 VPN through the firewall Gary W. Smith
2005-03-03 21:57 ` Marty Phee
  -- strict thread matches above, loose matches on Subject: below --
2005-03-04  5:47 Gary W. Smith
2005-03-04  5:39 Gary W. Smith
2005-03-02 22:33 Marty Phee
2005-03-02 23:22 ` Jason Opperisano
2005-03-03 21:56   ` Marty Phee
2005-03-03 22:29     ` Jason Opperisano
2005-03-03 23:22       ` Marty Phee

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.