[ale] VPN connections through firewall
Gary S MacKay
Gary at EdisonInfo.com
Fri Mar 2 09:50:48 EST 2001
>From what I've read, port 500 is used by the IPsec protocol. Port 1723
is used by PPtP. FreeSwan uses the more secure IPsec protocol. I'm not
sure about protocols 50 and 51. Havn't seen that yet.
- Gary
Robert Hoffman wrote:
>
> Don't know if this is the problem but I noticed that the original error message complains about protocol 47. I'm running FreeSwan as a VPN an had to allow protocol 50 and 51 through the firewall with the following rules:
>
> /sbin/ipchains -A input -p UDP -d 216.4.26.14/32 500 -j ACCEPT
> /sbin/ipchains -A input -p 50 -d 216.4.26.14/32 -j ACCEPT
> /sbin/ipchains -A input -p 51 -d 216.4.26.14/32 -j ACCEPT
>
> Note that the "-p 50" indicates a protocol, not a port. I don't remenber why I had to add the first line offhand; it's probably FreeSwan specific.
>
> The ip address should be that of the external NIC.
>
> -Rob Hoffman
>
> ---------- Original Message ----------------------------------
> From: Gary S MacKay <Gary at EdisonInfo.com>
> Date: Thu, 01 Mar 2001 16:59:02 -0500
>
> >Don't know if I've seen the exact doc you mention, but yes, I've
> >searched/read everything I can find. I've added ipchains accept and masq
> >rules to my firewall script but still no luck. I did not custom compile
> >the kernel yet, as I was going on the understanding that RedHat had
> >included the patch(s) already. I'm just using the stock 7.0 kernel that
> >was installed by default.
> >
> >- Gary
> >
> >Wandered Inn wrote:
> >>
> >> Gary S MacKay wrote:
> >> >
> >> > I have a Win2K pro machine behine a linux machine running RedHat 7.0
> >> > with 2.2.16-22 kernel. I've installed the ip_masq_pptp module also. When
> >> > I try to connect to the remote site, it will get to the point of
> >> > "Verifing password..." and then timeout. I have verified that the remote
> >> > site works by dialing into the internet via modem from the Win box and I
> >> > can connect to the VPN just fine.
> >>
> >> I'm doing much the same, although mine is behind two separate firewall
> >> machines. You should have added some ipchains to properly pass the
> >> transactions. There's a really good description in one of the howto's,
> >> vpn-howto or vpn-masq-howto, or something like that.
> >>
> >> Have you seen this doc?
> >>
> >> >
> >> > Problem:
> >> > Whenever I try to connect to a Netopia R910 router at a client site, I
> >> > get these entries from a tcpdump on my firewall:
> >> >
> >> > 10:51:00.823238 > myIP > remoteIP: icmp: myIP protocol 47 unreachable
> >> > [tos 0xc0]
> >> > 10:51:03.463238 > gre-proto-0x880B (gre encap)
> >> > 10:51:03.813238 < gre-proto-0x880B (gre encap)
> >> > 10:51:03.813238 > myIP > remoteIP: icmp: myIP protocol 47 unreachable
> >> > [tos 0xc0]
> >> >
> >> > It just repeats until the Win box times out with an error that a port
> >> > was not connected.
> >> >
> >> > Question:
> >> > What piece of the puzzle am I missing?
> >> >
> >> > - Gary
> >> > --
> >> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
> >>
> >> --
> >> Until later: Geoffrey esoteric at denali.atlnet.com
> >>
> >> "Great spirits have always found violent opposition from mediocre minds.
> >> The
> >> latter cannot understand it when a man does not thoughtlessly submit to
> >> hereditary prejudices but honestly and courageously uses his
> >> intelligence."
> >> - Albert Einstein
> >> --
> >> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
> >--
> >To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
> >
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list