[ale] Poptop

Michael H. Warfield mhw at WittsEnd.com
Tue Mar 14 09:22:33 EST 2006 

On Tue, 2006-03-14 at 08:43 -0500, Christopher Fowler wrote:
> On Tue, 2006-03-14 at 08:28, Geoffrey wrote:
> 
> > # PPTP for vpn
> > 
> > VPN_SVR=XXX.XXX.XXX.XXX
> > 
> > $IPCHAINS -A forward -j MASQ   -p tcp -s 172.16.10.215/32 \
> >      -d $VPN_SVR/32 1723 -i ppp0
> > $IPCHAINS -A output  -j ACCEPT -p tcp -s $IPADDR/24 \
> >      -d $VPN_SVR/32 1723 -i ppp0
> > $IPCHAINS -A input   -j ACCEPT -p tcp -s $VPN_SVR/32 1723 \
> >      -d $IPADDR/24  -i ppp0
> > $IPCHAINS -A forward -j MASQ   -p 47  -s 172.16.10.215/32      \
> >      -d $VPN_SVR/32      -i ppp0
> > $IPCHAINS -A output  -j ACCEPT -p 47  -s $IPADDR/24 \
> >      -d $VPN_SVR/32      -i ppp0
> > $IPCHAINS -A input   -j ACCEPT -p 47  -s $VPN_SVR/32     \
> >      -d $IPADDR/24  -i ppp0
> > 
> > I also recall that I had some modules that had to be loaded as well, but 
> > don't recall the specifics of them either. (gre??)
> > 

> That is correct.  And that is the problem.  At the remote sites I do not
> control nor own the firewall.  It could be a PIX firewall, Or a LinkSys
> router from BestBuy.  I was hoping poptop could be nat'ed like any other
> protocol like http or ssh.  That would mean that almost all routers
> would support the implementation.  If I could narrow it down to some
> supported routers then maybe I could tell the customers to buy new
> equipment.  A customer with a LinkSys router is very reluctant to pony
> up the cash for a PIX.  In their eyes they both do the same thing.

	Then your best bet is going to be IPSec NAT-T, which is the modern VPN
for Windows XP anyways (at least for SP2, which you should be running
anyways - I think it was in the "Advanced Network Pack" for XP prior to
SP1 but I could be mistaken).  That runs over 4500/udp and initiates
over 500/udp (ISAKMP/IKE) and talks with OpenSWAN / FreeSWAN /
StrongSWAN and IPSec-Tools.  But one end or the other is still going to
have to be reachable from the global unicast address.  If you can't
control that far end, you will have to set up a passthrough on your end
for port 500 (and possibly 4500, although it might handle that mapping
automatically from the negotiation over port 500) udp.

	You might get OpenVPN to work as well, but that will require third
party software on your XP clients.  XP should already have IPSec NAT-T
and merely needs to be configured on those XP clients.  Depending on
your needs (like large numbers of clients and high traffic) OpenVPN does
not scale as well as IPSec, either.

	Mike

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list