Re: [Nolug] VPN and iptables/NAT

From: -ray <ray_at_ops.selu.edu>
Date: Sun, 23 Nov 2003 12:26:24 -0600 (CST)
Message-ID: <Pine.LNX.4.44.0311231206260.583-100000@romulus.csd.selu.edu>

On Sun, 23 Nov 2003, Brad N Bendily wrote:

> On Sat, 22 Nov 2003, Andrew S. Johnson wrote:
>
> > Has anyone configured iptables/NAT to allow a windows VPN
> > client on a private subnet to talk to a VPN server on the internet
> > through a Linux box?
> >
> > It works when connected directly to the DSL modem, but I haven't
> > gotten it to work otherwise.
> >
> > Andy Johnson
>
>
> We do this at work with iptables, but not with NAT, so I don't know
> if this will help, but...
>
> You have to allow protocols 50 & 51 and udp port 500.
> Here is an example of how we have it setup, but with out NAT:

Is it a real IPSEC VPN, or are you using MS PPTP? PPTP uses tcp port 1723
and GRE (protocol 47). Remember that the point of VPN is you have
end-to-end security at layer 3, ie nothing can tamper with the packets
along the way. NAT, by nature, tampers with the packets.

If you are using PPTP, there is a pptp-conntrack-nat module for Netfilter
in patch-o-matic. I've never used it before, but you might give it a
shot. It's still labeled beta.

http://www.netfilter.org/documentation/pomlist/pom-extra.html#pptp-conntrack-nat

ray

___________________
Nolug mailing list
nolug@nolug.org
Received on 11/23/03

This archive was generated by hypermail 2.2.0 : 12/19/08 EST