From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Derek Storvik" Subject: NAT and VPN Date: Thu, 3 Jun 2004 11:53:16 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C4498B.4492909C" Return-path: Content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C4498B.4492909C Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I'm having trouble with NAT and VPN =20 =20 I have a linux server running Fedora core 1 that is a NAT/FIREWALL/VLAN/DHCP server for a large client network. =20 Internet | | Linux | | Large network with many vlans and 1000 nodes or so. =20 =20 The internal network is natted to the 10.0.0.0 network and my clients can not VPN out to the internet. Specifically they get back an error 619 What has to be done to allow VPN to traverse through the firewall and NAT? at the moment the firewall rules are wide open to make sure that isn't my issue.=20 =20 Any help would be appreciated. ---------------------------------- Derek Storvik Network & Systems Administrator ConsulTech, LLC =20 =20 Phone: 812.323.8324 Fax: 812.323.1272 E-mail: dstorvik@consultech.net =20 =20 1441 Fenbrook Lane Bloomington, IN 47401 ---------------------------------- =20 ------_=_NextPart_001_01C4498B.4492909C Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I’m having trouble with NAT and VPN =

I have a linux server running Fedora core = 1 that is a NAT/FIREWALL/VLAN/DHCP server for a large client network.

Internet

|

|

Linux

|

|

Large network with many vlans and 1000 nodes or = so.

The internal network is natted to the 10.0.0.0 network and my clients can = not VPN out to the internet. Specifically they get back an error = 619

What has to be done to allow VPN to traverse through the firewall and = NAT? at the moment the firewall rules are wide open to make sure that isn’t my = issue.

Any help would be appreciated.

----------------------------= ------

Derek Storvik

Network & Systems = Administrator

ConsulTech, LLC

Phone: 812.323.8324

Fax: 812.323.1272

E-mail: dstorvik@consultech.net

1441 = Fenbrook Lane

Bloomington, IN 47401

----------------------------= ------

------_=_NextPart_001_01C4498B.4492909C-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: Re: NAT and VPN Date: Thu, 03 Jun 2004 14:00:37 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1086285637.4564.3.camel@localhost> References: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="utf-8" To: Derek Storvik Cc: netfilter@lists.netfilter.org On Thu, 2004-06-03 at 12:53, Derek Storvik wrote: > I=E2=80=99m having trouble with NAT and VPN =20 >=20 > =20 >=20 > I have a linux server running Fedora core 1 that is a > NAT/FIREWALL/VLAN/DHCP server for a large client network. >=20 > =20 >=20 > Internet >=20 > | >=20 > | >=20 > Linux >=20 > | >=20 > | >=20 > Large network with many vlans and 1000 nodes or so. >=20 > =20 >=20 > =20 >=20 > The internal network is natted to the 10.0.0.0 network and my clients > can not VPN out to the internet. Specifically they get back an error > 619 >=20 > What has to be done to allow VPN to traverse through the firewall and > NAT? at the moment the firewall rules are wide open to make sure > that isn=E2=80=99t my issue.=20 A few questions . . .=20 What type of VPN are they attempting to access? I assume they are using some kind of VPN client and you are not talking about a site to site connection. What client are they using? If you are using an IPSec client, one either needs to give each a dedicated one-to-one mapped public address or use NAT Traversal (must be enabled on both sides of the connection). Are you sure that the client is comfortable allowing people on the inside to VPN to some connection on the outside? There is a real possibility that whatever is on the other side will now be able to access your client's internal network through the same VPN connection. > =20 --=20 John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net=20 From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Derek Storvik" Subject: RE: NAT and VPN Date: Thu, 3 Jun 2004 15:58:05 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C449AD.77DD6E3C" Return-path: Content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C449AD.77DD6E3C Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable =20 =20 ________________________________ From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Derek Storvik Sent: Thursday, June 03, 2004 11:53 AM To: netfilter@lists.netfilter.org Subject: NAT and VPN =20 I'm having trouble with NAT and VPN =20 =20 I have a linux server running Fedora core 1 that is a NAT/FIREWALL/VLAN/DHCP server for a large client network. =20 Internet | | Linux | | Large network with many vlans and 1000 nodes or so. =20 =20 The internal network is natted to the 10.0.0.0 network and my clients can not VPN out to the internet. Specifically they get back an error 619 What has to be done to allow VPN to traverse through the firewall and NAT? at the moment the firewall rules are wide open to make sure that isn't my issue.=20 =20 =20 =20 =20 =20 What VPN? Cisco IPSec client? other IPSec clients? PoPToP?..... =20 yes it matters =20 =20 =20 It is PPTP. A windows client to a VPN server on a university campus. =20 Derek =20 ________________________________ From: Aldo Lagana [mailto:ALagana@p21.com]=20 Sent: Thursday, June 03, 2004 2:43 PM To: Derek Storvik Subject: RE: NAT and VPN =20 then all you need to do is to either: =20 # modprobe ip_nat_pptp =20 OR =20 include NAT PPTP in your kernel configuration and recompile the kernel =20 works great for me! =20 =20 Ok here is the stupid question. I do that and I get the following. What all do I need to do? Path things? Recompile? =20 [root@Furies root]# modprobe ip_nat_pptp modprobe: Can't locate module ip_nat_pptp =20 Thanks for the help Derek =20 =20 ------_=_NextPart_001_01C449AD.77DD6E3C Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Derek Storvik
Sent: Thursday, June 03, = 2004 11:53 AM
To: = netfilter@lists.netfilter.org
Subject: NAT and = VPN

I’m having trouble with NAT and VPN =

I have a linux server running Fedora core = 1 that is a NAT/FIREWALL/VLAN/DHCP server for a large client = network.

Internet

|

|

Linux

|

|

Large network with many vlans and 1000 nodes or = so.

The internal network is natted to the 10.0.0.0 network and my clients can = not VPN out to the internet. Specifically they get back an error = 619

What has to be done to allow VPN to traverse through the firewall and NAT? at the moment the firewall rules are wide open to make = sure that isn’t my issue.

=

What VPN? Cisco IPSec = client? other IPSec clients? PoPToP?.....

yes it = matters

<snip>

It is PPTP. A windows client = to a VPN server on a university campus.

Derek

From: Aldo = Lagana [mailto:ALagana@p21.com]
Sent: Thursday, June 03, = 2004 2:43 PM
To: Derek Storvik
Subject: RE: NAT and = VPN

then all you need to do is to = either:

# modprobe = ip_nat_pptp

OR

include NAT PPTP in your kernel configuration and recompile the kernel

works great for = me!

=

=

Ok here is the stupid question. I do that and I get the following. What = all do I need to do? Path things? Recompile?

=

[root@Furies = root]# modprobe ip_nat_pptp

modprobe: Can't = locate module ip_nat_pptp

=

Thanks for the = help

= Derek

------_=_NextPart_001_01C449AD.77DD6E3C-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Aldo Lagana Subject: RE: NAT and VPN Date: Thu, 3 Jun 2004 13:26:22 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <0776B9DA384FFB4C94A6B73F7DC87A6003F35CC9@newman.p21.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C4498F.E3E56870" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: 'Derek Storvik' , netfilter@lists.netfilter.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C4498F.E3E56870 Content-Type: text/plain; charset="iso-8859-1" What VPN? Cisco IPSec client? other IPSec clients? PoPToP?..... yes it matters for Poptop - there is a module ip_nat_pptp I think for IPSec there are other netfilter modules to provide VPN over a NAT connection. The reason why is that VPN require that the packets are not touched (they have a checksum stored within each packet which it checks against) and NAT breaks that - it chanegs the packet thus changing the new checksum value thus breaking the VPN. so you need to find out which vpn it is and you need to google if there is a Netfilter module available for it.! -----Original Message----- From: Derek Storvik [mailto:dstorvik@consultech.net] Sent: Thursday, June 03, 2004 12:53 PM To: netfilter@lists.netfilter.org Subject: NAT and VPN I'm having trouble with NAT and VPN I have a linux server running Fedora core 1 that is a NAT/FIREWALL/VLAN/DHCP server for a large client network. Internet | | Linux | | Large network with many vlans and 1000 nodes or so. The internal network is natted to the 10.0.0.0 network and my clients can not VPN out to the internet. Specifically they get back an error 619 What has to be done to allow VPN to traverse through the firewall and NAT? at the moment the firewall rules are wide open to make sure that isn't my issue. Any help would be appreciated. ---------------------------------- Derek Storvik Network & Systems Administrator ConsulTech, LLC Phone: 812.323.8324 Fax: 812.323.1272 E-mail: dstorvik@consultech.net 1441 Fenbrook Lane Bloomington, IN 47401 ---------------------------------- Visit our website at http://www.p21.com/visit The information in this e-mail is confidential and may contain legally privileged information. It is intended solely for the person or entity to which it is addressed. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution, action taken, or action omitted to be taken in reliance on it, is prohibited and may be unlawful. If you received this e-mail in error, please contact the sender and delete the material from any computer. ------_=_NextPart_001_01C4498F.E3E56870 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

What=20 VPN? Cisco IPSec client? other IPSec clients? =20 PoPToP?.....

yes it=20 matters

for=20 Poptop - there is a module ip_nat_pptp

I=20 think for IPSec there are other netfilter modules to provide VPN over a = NAT=20 connection.

The=20 reason why is that VPN require that the packets are not touched (they = have a=20 checksum stored within each packet which it checks against) and NAT = breaks that=20 - it chanegs the packet thus changing the new checksum value thus = breaking the=20 VPN.

so

you=20 need to find out which vpn it is and you need to google if there is a = Netfilter=20 module available for it.!

-----Original Message-----
From: Derek Storvik=20 [mailto:dstorvik@consultech.net]
Sent: Thursday, June 03, = 2004 12:53=20 PM
To: netfilter@lists.netfilter.org
Subject: NAT = and=20 VPN

I'm having trouble with = NAT and=20 VPN

I have a linux server = running=20 Fedora core 1   that is a NAT/FIREWALL/VLAN/DHCP server for = a large=20 client network.

Internet

=20 |

=20 |

Linux

=20 |

=20 |

Large network with many = vlans and=20 1000 nodes or so.

The internal = network is=20 natted to the 10.0.0.0 network and my clients can not VPN out to the=20 internet.   Specifically they get back an error=20 619

What has to be done to = allow VPN=20 to traverse through the firewall and NAT?   at the moment = the=20 firewall rules are wide open to make sure that isn't my issue.=20

Any help would be=20 appreciated.

----------------------------------

Derek Storvik

Network & Systems=20 Administrator

ConsulTech, = LLC

Phone: = 812.323.8324

Fax: = 812.323.1272

E-mail: dstorvik@consultech.net

1441 Fenbrook=20 Lane

Bloomington, = IN 47401

----------------------------------

Visit our website at = http://www.p21.com/visit

The information in this e-mail is = confidential and may contain legally privileged information. It is = intended solely for the person or entity to which it is addressed. = Access to this e-mail by anyone else is unauthorized. If you are not = the intended recipient, any disclosure, copying, distribution, action = taken, or action omitted to be taken in reliance on it, is prohibited = and may be unlawful. If you received this e-mail in error, please = contact the sender and delete the material from any computer. =

------_=_NextPart_001_01C4498F.E3E56870--