Topic: VPN, PPTP & GRE

[Andrew]

Hi All,
I've been reading through all the threads relating to VPN's and allthough there has been quite alot of discussion, I cannot find a solution to our problem. We have E-Smith running as a firewall/gateway on our network, with an NT4 server in the internal network. We need to configure the E-Smith box to be able to forward VPN to the NT4 box, however we have come across a stumbling block where we can't pass through GRE packets (Protocol 47). Has anybody been able to achieve this and if so I would be very appriecative if they could point us into the right direction.

Thanks
Andrew.

[GL]

Try this page:

http://www.cag.lcs.mit.edu/~cananian/Projects/IPfwd/

It might prove useful. I haven't used IPfwd with e-smith, but I did use it with a thin-linux used for firewalling and NT4 server for PPTP It worked then.

Guy

[Nathan Fowler]

Check this deal out here:
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/VPN-Masquerade-HOWTO.html#ss3.13
and
http://www.impsec.org/linux/masquerade/ip_masq_vpn.html


That should help you out some, if it doesn't let me know.  It isn't necessary to path the E-Smith kernel now because they have incorporated VPN masq however to redirect protocol 47/51 there is a utility you can use located here:
http://cag.lcs.mit.edu/~cananian/Projects/IPfwd/

Make sure you're forwarding TCP 1723, UDP 500, and protocol 47 to the NT Box

Monkey around with ipFWD and also use ipmasqadm portfw.

Thanks,
Nathan

[Andrew]

Thanks for the replies, however I'm aware of the IPFwd utility but the only problem is that as E-Smith doesnt have a compiler, how do you use IPfwd with E-Smith. Is it possible to compile it on a Redhat system and move it over to E-Smith??

Andrew.

[Charlie Brady]

Andrew wrote:
 
> Thanks for the replies, however I'm aware of the IPFwd
> utility but the only problem is that as E-Smith doesnt have a
> compiler, how do you use IPfwd with E-Smith. Is it possible
> to compile it on a Redhat system and move it over to E-Smith??

Certainly - that's how we build the software.

However, you won't have to do that. Go to www.rpmfind.net and find the RPM that you need. But even better, I don't think that you need ipfwd, I believe that you can do what you want with ipchains and ipfwadm, and they are both already installed.

ipchains -I input -p 47 -d x.x.x.x -m 1
ipfwadm mfw -I -m 1 -r y.y.y.y

Where x.x.x.x is your external IP address, and y.y.y.y is the box you want to forward GRE to.

Regards

Charlie

[Andrew]

Hiya, I think we're getting closer but when I entered "ipfwadm mfw -I -m 1 -r y.y.y.y" this is the output I got.

Unexpected argument mfw'.

If this command worked with the original ipfwadm 2.3, please
submit a bug report to ipchains@rustcorp.com'. Note that you
now need to be root, even to list the chains (complain to Alan Cox).

The best way to do this is to submit the output of /sbin/ipfwadm --version',
the command used to obtain this error, any previous ipfwadm
commands, and the output of ipchains-save'.

Then try flushing all the rules ipchains -F; ipchains -X',
setting the DEBUG_IPFWADM variable export DEBUG_IPFWADM=1' or
setenv DEBUG_IPFWADM 1' and rerunning the command(s) which
caused this error.

Any idea's??

Andrew.

[Nathan Fowler]

I think Charlie may have accidently transposed ipfwadm with ipmasqadm.  Try using Charlies syntax with /usr/sbin/ipmasqadm

Note that while I have successfully got VPN IPSEC masquerade working I have not attempted to forward incoming VPN.

NF

[andrew]

Hi all,

Still no luck. After viewing /var/log/messages it seems that it still is blocking Protocol 47. Should I go ahead and try IPfwd or does anybody have another idea??

Andrew.

[Ritchie Logan]

I have finally got my IPSec client (protocol 50 & UDP port 500) working with a couple of ipchains entries. Using the same syntax, and replacing with the PPTP port requirements would indicate that you should try the following:

ipchains -I input -j ACCEPT -p tcp -s 0/0 1723 -d A.B.C.D 1723 -i ethZ
ipchains -I input -j ACCEPT -p 47 -s 0/0 -d A.B.C.D -i ethZ

Replace A.B.C.D with the internal IP address of the NT4 box, and replace ethZ with the correct number for the EXTERNAL interface on your E-Smith box.

Let me know how you get on, and we should document this if it works.

Cheers

Ritchie

[Ritchie Logan]

wooops..... made a mistake in the above.....

Replace A.B.C.D in your ipchains commands with the IP address of your external interface on your E-Smith box.

[andrew]

My apologies in taking so long in replying to this. I tried the suggextion by Ritchie, but to no avail. In the end I just set up a VPN link into e-smith and gained access to the NT box. Please note that in may case I have an MS Exchange server on the NT box internally, thus that is why I required VPN in the first place. The only hic-cup came when I connected to e-smith via VPN but my mail client was unable to locate the exchange server, which only requires an entry in the windows host file to point to the correct internal IP of the Exchange Server.

Thanks so much to all that offered advice.

andrew.