pptp_conntrack_nat and kernel 2.6.15

pptp_conntrack_nat and kernel 2.6.15

[Jesus M. Salvo Jr.]

Sorry for the introduction to my problem, but I felt it relevant in what I am 
trying to do.

I have setup a gateway  with IP and VPN / PPTP masquerading using a 2.6 kernel 
( FC3 ). I am also using the following as a base:

	
http://www.e-infomax.com/ipmasq/howto/c-html/firewall-examples.html#RC.FIREWALL-2.4.X

However, only one client at a time from within the LAN can connect to a
remote PPTP server. 

Based on Section 2.7 of this URL:

        http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO-2.html

... one should ensure that "PPTP Call ID masquerade" is enabled on the
kernel to allow multiple clients to connect to a remote PPTP server. 

However, according to this:

        http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO-3.html

The kernel option CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT is only for 2.0
kernels, and with 2.2 kernels, it seemed to have been replaced with
CONFIG_IP_MASQUERADE_PPTP:

CONFIG_IP_MASQUERADE_PPTP
    - Enables PPTP data channel masquerading, if you are
      masquerading a PPTP client or server. This is now
      available as a module.
      Note that you no longer need to specify Call-ID masquerade.

Now for 2.6 kernels, it seems that one has to use the pptp_conntrack_nat 
path-o-matic. However, based on  this posting to this mailing list:

	http://lists.netfilter.org/pipermail/netfilter/2005-October/063045.html

.... that the pptp_conntrack_nat patch has been accepted to the mainline 
kernel. So I downloaded the 2.6 kernel and also checked the changelog. Looks 
like I need to enable IP_NF_PPTP and IP_NF_NAT_PPTP.


So am I right to assume that:

1) The patch-o-matic for pptp_conntrack_nat is no longer needed if one uses 
2.6.15 kernels ?

2) A linux gateway with 2.6.15 kernel and IP and VPN masquerading and with the 
above modules loaded  will finally allow mutliple clients within the LAN to 
connect to a remote PPTP server ??

Thanks.

John

Re: pptp_conntrack_nat and kernel 2.6.15

[Jesus M. Salvo Jr.]

On Tuesday 03 January 2006 22:53, Jesus M. Salvo Jr. wrote:
>
> So am I right to assume that:
>
> 1) The patch-o-matic for pptp_conntrack_nat is no longer needed if one uses
> 2.6.15 kernels ?
>
> 2) A linux gateway with 2.6.15 kernel and IP and VPN masquerading and with
> the above modules loaded  will finally allow mutliple clients within the
> LAN to connect to a remote PPTP server ??
>
> Thanks.
>
> John

Do I need to update iptables from 1.2.11 to 1.3.x for pptp_conntrack_nat to 
work ?

Re: pptp_conntrack_nat and kernel 2.6.15

[Jesus M. Salvo Jr.]

On Tuesday 03 January 2006 22:53, Jesus M. Salvo Jr. wrote:
>
> So am I right to assume that:
>
> 1) The patch-o-matic for pptp_conntrack_nat is no longer needed if one uses
> 2.6.15 kernels ?
>
> 2) A linux gateway with 2.6.15 kernel and IP and VPN masquerading and with
> the above modules loaded  will finally allow mutliple clients within the
> LAN to connect to a remote PPTP server ??
>
> Thanks.
>
> John

I would like to report that multiple outgoing PPTP connections from within a 
LAN via IP / VPN / PPTP masquerading now works with 2.6.15 ... without having 
to use patch-o-matic extras pptp_conntrack_nat

You __will__ have to load the following modules for it to work:

/sbin/modprobe ip_nat_pptp
/sbin/modprobe ip_conntrack_pptp

Re: pptp_conntrack_nat and kernel 2.6.15

[Eduardo Ukstin]

do you know if this kernel works with ipsec too??

Regards
Eduardo Ukstin


On 1/5/06, Jesus M. Salvo Jr. <jesus.salvo@optusnet.com.au> wrote:
> On Tuesday 03 January 2006 22:53, Jesus M. Salvo Jr. wrote:
> >
> > So am I right to assume that:
> >
> > 1) The patch-o-matic for pptp_conntrack_nat is no longer needed if one uses
> > 2.6.15 kernels ?
> >
> > 2) A linux gateway with 2.6.15 kernel and IP and VPN masquerading and with
> > the above modules loaded  will finally allow mutliple clients within the
> > LAN to connect to a remote PPTP server ??
> >
> > Thanks.
> >
> > John
>
> I would like to report that multiple outgoing PPTP connections from within a
> LAN via IP / VPN / PPTP masquerading now works with 2.6.15 ... without having
> to use patch-o-matic extras pptp_conntrack_nat
>
> You __will__ have to load the following modules for it to work:
>
> /sbin/modprobe ip_nat_pptp
> /sbin/modprobe ip_conntrack_pptp
>
>


--
Eduardo Ukstin
GNU/Linux User #328388

Re: pptp_conntrack_nat and kernel 2.6.15

[Jesus M. Salvo Jr.]

> On 1/5/06, Jesus M. Salvo Jr. <jesus.salvo@optusnet.com.au> wrote:
> > I would like to report that multiple outgoing PPTP connections from
> > within a LAN via IP / VPN / PPTP masquerading now works with 2.6.15 ...
> > without having to use patch-o-matic extras pptp_conntrack_nat
> >
> > You __will__ have to load the following modules for it to work:
> >
> > /sbin/modprobe ip_nat_pptp
> > /sbin/modprobe ip_conntrack_pptp

On Friday 06 January 2006 05:12, Eduardo Ukstin wrote:
> do you know if this kernel works with ipsec too??
>
> Regards
> Eduardo Ukstin
>

I have no idea ... although I cannot see why this or previous kernels cannot 
do so.

I was reading your original post about "VPN rules". Although a bit old, the 
following link will still have some relevant information:

	http://www.faqs.org/docs/Linux-HOWTO/VPN-Masquerade-HOWTO.html

Re: pptp_conntrack_nat and kernel 2.6.15

[Eduardo Ukstin]

Thanks,

I founded this how to, i've solved the problem, but I'll read it!

Regards
Eduardo Ukstin

> I was reading your original post about "VPN rules". Although a bit old, the
> following link will still have some relevant information:
>
>         http://www.faqs.org/docs/Linux-HOWTO/VPN-Masquerade-HOWTO.html

pptp_conntrack_nat and kernel 2.6.15

[lauraf]

Hi gentlemen,

could anybody please confirm that by using kernel 2.6.15 is it now
possible to setup multiple PPTP connections from different  PCs within
the local net, trought a linux box running iptables, toward several
external world PPTP servers ?

thanks a lot for your help

Regards

laura