Hello Rainer, this is a protocol number 47, NOT PORT 47 !!! As you already noticed, this goes along with tcp or udp or icmp, other VPN connections use ESP (protocol no. 50) and/or AH (proto 51). Have a look at the /etc/protocols file for a short definition. If using GRE-protocol, you are using L2TP, then ? Generally speaking it is a great difficulty to get a VPN running over a NAT-gateway, so the most common setup is not to do NAT and use proxies instead. (You don't need to NAT for a VPN). Otherwise, if you really ought to do NAT for some internal application to reach the internet, then you should setup a separated VPN-gateway. One machine does NAT/Firewall/Internet-Access, the other is for VPN communications. For configuration of SuSEfirewall2 I advise you to have a look at the FW_SERVICES_EXTERNAL_IP parameter, where you should have 47 or GRE as value. OR, as you could place a VPN Gateway in the DMZ as well, you would then use FW_SERVICES_DMZ_IP instead. HTH, Philipp Rusch Rainer Hofmeister schrieb:
Hi,
I'm trying to build a VPN tunnel from an internal Win2K machine to a server on the Internet (also MS). We are using a SuSEfirewall2 (SuSE 7.3) to protect our internal Lan. The internal Lan is masqueraded.
Is there a way to configure the firewall to allow VPN connections from the Win2K machine?
I opened the following ports in FW_MASQ_NETS:
10.0.0.0/24,0/0,tcp,1723 10.0.0.0/24,0/0,udp,1723 10.0.0.0/24,0/0,tcp,47 10.0.0.0/24,0/0,udp,47 10.0.0.0/24,0/0,udp,500
This didn't work. I read somewhere that the communication over port 47 is not tcp or udp but gre. Since I can't set that in SuSEfirewall2 I tried to open up the complete network by using:
10.0.0.0/8
This didn't help, either. Connecting the Win2K machine directly to the ISDN router works so there seems to be no problem with its configuration.
Is it possible to configure VPN over SuSEfirewall2 at all? If yes, what am I doing wrong?
Best regards, Rainer
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here