Hi I had the same problems with GRE not passing through to a server behind the firewall. I then used kernel 2.4.22 and the latest pom snapshot (patch-o-matic-20030831) with iptables 1.2.8 and gre passed through. However, after testing I notice now that although PPTP connections to a win2000 server behind the firewall work, that the connection is not reliable. After 3 to 4 minutes the connection is closed for some unknown reason and people have to re-establish the connection. Anyone experiencing this problem also? Regards Wim Jamie Vuyk wrote: >Hello, > >I hope this will be a simple post that can lay to rest what a lot of >people appear to be having trouble with. I have read a massive amount >of posts all over the web and there seems to be much confusion in this >simple matter. > > > >Basically there are two aspects to my problems: > >1) Does the standard kernel (RH 2.4.18) need to be patched in any >way in order to PASS THROUGH proto 47 (GRE) to an internal server? Im >running a simply iptables firewall which I want to pass an external PPTP >VPN connection through to an internal server. It is most important to >note that the firewall is masquerading all connections which I think is >where the confusion lies. As I understand if I want Linux to terminate >the PPTP VPN I need a patch, if I want it to pass through I don't. >However I am having a lot of trouble getting this to work and I would >like to know if Im on the right track. > > > >2) Given that I don't have to patch anything and it all should "just >work"... I have setup my firewall to allow and forward the 1723 to my >internal server. This appears to work but the external Win2k box gets >stuck on "verifying username and password". This eventually times out >with "disconnected". A simple test was to Telnet to port 1723. >Although there is no response as such from the server (expected) it does >connect with a blank screen both internally and externally suggesting >the forwarding is working ok. At what point does the 1723 data exchange >end and the "payload" as such start on the GRE protocol? Is GRE >involved in the 'verifying username and password' stage or is that still >TCP on 1723? Just so you are aware I have the rest of the firewall >fully operational with various port forwards etc that work fine. It is >essentially only the VPN's that are giving me grief. > > > >If you could get some basic info I maybe able to troubleshoot this and >get it operational. > >Cheers in advance for you help. > >J > > > > > > > > > > > > > -- Wim Ceulemans R&D Engineer Secure Internet Communication with aXs Guard Able NV Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09 E-mail: wim.ceulemans@able.be -- Security check on this e-mail has been done by aXs GUARD (http://www.axsguard.com)