Mailinglist Archive: opensuse (4631 mails)

< Previous Next >
[opensuse] Forward VPN traffic to internal VPN MS server
  • From: "Arthur Odekerken" <odekerken@xxxxxxxxx>
  • Date: Sun, 21 Jan 2007 20:21:31 +0100
  • Message-id: <8683311d0701211121m4cde1390o16337e6bb4af2887@xxxxxxxxxxxxxx>
Hi,

I searched the internet for a solution to this problem, but I can't
get it to work.
This is my situation:

- fixed ip on one interface of a thomson router/modem
- all traffic on the modem is forwarden to an internal server at the
IP address: 192.168.254.2
- the server is an opensuse 10.2 server with SuSEfirewall2 enabled
- the server has an IP on a second interface 192.168.1.100 which is
the internal network
- in the network there is also a VPN MS server with VPN enabled (RAS)

INTERNET <-> MODEM <-> OPENSUSE 10.2 LINUX <-> WINDOWS VPN SERVER

fix ip <-> fix ip / 192.168.254.1 <-> 192.168.254.2 / 192.168.1.100
<-> 192.168.1.1

All I want is to forward all vpn traffic from external clients to the
VPN MS server.
This is what I already checked:

- when I'm connected to the network it is possible to create a VPN
connection, so I know the VPN is working.
- I forwarded port 1723 and 500 over TCP to the IP of the VPN server.
- I also altered the /etc/sysconfig/SuSEfirewall2 script so that GRE
(protocol 47) is forwarded.

No when I try to connect from outside my Windows clients gets stuck at
Busy checking username and password and ends in an error 721 after a
while.

Also when I try to connect I can read this info from the
/var/log/firewall logfile:
Jan 21 20:07:36 balrog kernel: SFW2-FWDext-ACC-REVMASQ IN=eth0
OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00
TTL=119 ID=29457 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16384 RES=0x00
SYN URGP=0 OPT (0204056401010402)
Jan 21 20:07:36 balrog kernel: SFW2-FWDint-ACC-MASQ IN=eth1 OUT=eth0
SRC=192.168.1.1 DST=213.219.146.220 LEN=48 TOS=0x00 PREC=0x00 TTL=127
ID=15089 PROTO=TCP SPT=1723 DPT=2370 WINDOW=16384 RES=0x00 ACK SYN
URGP=0 OPT (020405B401010402)
Jan 21 20:07:36 balrog kernel: SFW2--ACC-MASQ IN=eth0 OUT=eth1
SRC=213.219.146.220 DST=192.168.1.1 LEN=196 TOS=0x00 PREC=0x00 TTL=119
ID=29458 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16560 RES=0x00 ACK PSH
URGP=0
Jan 21 20:07:36 balrog kernel: SFW2-FWDint-ACC-MASQ IN=eth1 OUT=eth0
SRC=192.168.1.1 DST=213.219.146.220 LEN=196 TOS=0x00 PREC=0x00 TTL=127
ID=15090 DF PROTO=TCP SPT=1723 DPT=2370 WINDOW=65379 RES=0x00 ACK PSH
URGP=0
Jan 21 20:07:36 balrog kernel: SFW2--ACC-MASQ IN=eth0 OUT=eth1
SRC=213.219.146.220 DST=192.168.1.1 LEN=208 TOS=0x00 PREC=0x00 TTL=119
ID=29459 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16404 RES=0x00 ACK PSH
URGP=0
Jan 21 20:07:36 balrog kernel: SFW2-FWDint-ACC-MASQ IN=eth1 OUT=eth0
SRC=192.168.1.1 DST=213.219.146.220 LEN=72 TOS=0x00 PREC=0x00 TTL=127
ID=15091 DF PROTO=TCP SPT=1723 DPT=2370 WINDOW=65211 RES=0x00 ACK PSH
URGP=0
Jan 21 20:07:36 balrog kernel: SFW2--ACC-MASQ IN=eth0 OUT=eth1
SRC=213.219.146.220 DST=192.168.1.1 LEN=64 TOS=0x00 PREC=0x00 TTL=119
ID=29460 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16372 RES=0x00 ACK PSH
URGP=0
Jan 21 20:07:37 balrog kernel: SFW2-FWDint-ACC-MASQ IN=eth1 OUT=eth0
SRC=192.168.1.1 DST=213.219.146.220 LEN=40 TOS=0x00 PREC=0x00 TTL=127
ID=15092 DF PROTO=TCP SPT=1723 DPT=2370 WINDOW=65187 RES=0x00 ACK
URGP=0
Jan 21 20:08:11 balrog kernel: SFW2-INint-ACC-ALL IN=eth1 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:17:a4:3c:43:4f:08:00 SRC=192.168.1.1
DST=192.168.1.255 LEN=238 TOS=0x00 PREC=0x00 TTL=128 ID=15235
PROTO=UDP SPT=138 DPT=138 LEN=218
Jan 21 20:08:13 balrog kernel: SFW2--ACC-MASQ IN=eth0 OUT=eth1
SRC=213.219.146.220 DST=192.168.1.1 LEN=56 TOS=0x00 PREC=0x00 TTL=119
ID=29577 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16372 RES=0x00 ACK PSH
URGP=0
Jan 21 20:08:13 balrog kernel: SFW2-FWDint-ACC-MASQ IN=eth1 OUT=eth0
SRC=192.168.1.1 DST=213.219.146.220 LEN=188 TOS=0x00 PREC=0x00 TTL=127
ID=15247 DF PROTO=TCP SPT=1723 DPT=2370 WINDOW=65171 RES=0x00 ACK PSH
URGP=0
Jan 21 20:08:13 balrog kernel: SFW2--ACC-MASQ IN=eth0 OUT=eth1
SRC=213.219.146.220 DST=192.168.1.1 LEN=56 TOS=0x00 PREC=0x00 TTL=119
ID=29578 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16224 RES=0x00 ACK PSH
URGP=0
Jan 21 20:08:13 balrog kernel: SFW2-FWDint-ACC-MASQ IN=eth1 OUT=eth0
SRC=192.168.1.1 DST=213.219.146.220 LEN=56 TOS=0x00 PREC=0x00 TTL=127
ID=15248 DF PROTO=TCP SPT=1723 DPT=2370 WINDOW=65155 RES=0x00 ACK PSH
URGP=0
Jan 21 20:08:13 balrog kernel: SFW2--ACC-MASQ IN=eth0 OUT=eth1
SRC=213.219.146.220 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=119
ID=29580 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16208 RES=0x00 ACK FIN
URGP=0
Jan 21 20:08:13 balrog kernel: SFW2-FWDint-ACC-MASQ IN=eth1 OUT=eth0
SRC=192.168.1.1 DST=213.219.146.220 LEN=40 TOS=0x00 PREC=0x00 TTL=127
ID=15249 DF PROTO=TCP SPT=1723 DPT=2370 WINDOW=65155 RES=0x00 ACK FIN
URGP=0
Jan 21 20:08:14 balrog kernel: SFW2--ACC-MASQ IN=eth0 OUT=eth1
SRC=213.219.146.220 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=119
ID=29581 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16208 RES=0x00 ACK
URGP=0

But also this:

Jan 21 19:55:47 balrog kernel: SFW2-FWDext-ACC-REVMASQ IN=eth0
OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00
TTL=119 ID=25402 DF PROTO=TCP SPT=2325 DPT=1723 WINDOW=16384 RES=0x00
SYN URGP=0 OPT (0204056401010402)
Jan 21 19:55:47 balrog kernel: SFW2-FWDext-DROP-DEFLT IN=eth0 OUT=eth1
SRC=213.219.146.220 DST=192.168.1.1 LEN=57 TOS=0x00 PREC=0x00 TTL=119
ID=25406 PROTO=47
Jan 21 19:55:49 balrog kernel: SFW2-FWDext-DROP-DEFLT IN=eth0 OUT=eth1
SRC=213.219.146.220 DST=192.168.1.1 LEN=57 TOS=0x00 PREC=0x00 TTL=119
ID=25409 PROTO=47
Jan 21 19:55:52 balrog kernel: SFW2-FWDext-DROP-DEFLT IN=eth0 OUT=eth1
SRC=213.219.146.220 DST=192.168.1.1 LEN=57 TOS=0x00 PREC=0x00 TTL=119
ID=25413 PROTO=47
Jan 21 19:55:56 balrog kernel: SFW2-FWDext-DROP-DEFLT IN=eth0 OUT=eth1
SRC=213.219.146.220 DST=192.168.1.1 LEN=57 TOS=0x00 PREC=0x00 TTL=119
ID=25418 PROTO=47
Jan 21 19:56:00 balrog kernel: SFW2-FWDext-DROP-DEFLT IN=eth0 OUT=eth1
SRC=213.219.146.220 DST=192.168.1.1 LEN=57 TOS=0x00 PREC=0x00 TTL=119
ID=25422 PROTO=47
Jan 21 19:56:08 balrog kernel: SFW2-FWDext-DROP-DEFLT IN=eth0 OUT=eth1
SRC=213.219.146.220 DST=192.168.1.1 LEN=57 TOS=0x00 PREC=0x00 TTL=119
ID=25434 PROTO=47

In my config file I have the following:

# ALLOW HTTPS, ISAKMP AND PPTP TRAFFIC TO SBS
FW_FORWARD_MASQ="0/0,192.168.1.1,tcp,443,443,192.168.254.2
0/0,192.168.1.1,tcp,1723,1723,192.168.254.2
0/0,192.168.1.1,udp,500,500,192.168.254.2"

FW_SERVICES_EXT_IP="gre"
FW_SERVICES_INT_IP="gre"
FW_SERVICES_DMZ_IP="gre"

because there is info that says:
# For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set
# FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)

I also tried to add the following rules in
/etc/sysconfig/scripts/SuSEfirewall2-custom
iptables -A PREROUTING -t nat -p gre -d 192.168.254.2 -j DNAT
--to-destination 192.168.1.1
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d 192.168.254.2 -j
DNAT --to-destination 192.168.1.1:1723

also without success...

I must be doing something wrong.
Can anybody help me?

Thanks,
Arthur
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages