Hi, I'm trying to build a VPN tunnel from an internal Win2K machine to a server on the Internet (also MS). We are using a SuSEfirewall2 (SuSE 7.3) to protect our internal Lan. The internal Lan is masqueraded. Is there a way to configure the firewall to allow VPN connections from the Win2K machine? I opened the following ports in FW_MASQ_NETS: 10.0.0.0/24,0/0,tcp,1723 10.0.0.0/24,0/0,udp,1723 10.0.0.0/24,0/0,tcp,47 10.0.0.0/24,0/0,udp,47 10.0.0.0/24,0/0,udp,500 This didn't work. I read somewhere that the communication over port 47 is not tcp or udp but gre. Since I can't set that in SuSEfirewall2 I tried to open up the complete network by using: 10.0.0.0/8 This didn't help, either. Connecting the Win2K machine directly to the ISDN router works so there seems to be no problem with its configuration. Is it possible to configure VPN over SuSEfirewall2 at all? If yes, what am I doing wrong? Best regards, Rainer
Hello Rainer, this is a protocol number 47, NOT PORT 47 !!! As you already noticed, this goes along with tcp or udp or icmp, other VPN connections use ESP (protocol no. 50) and/or AH (proto 51). Have a look at the /etc/protocols file for a short definition. If using GRE-protocol, you are using L2TP, then ? Generally speaking it is a great difficulty to get a VPN running over a NAT-gateway, so the most common setup is not to do NAT and use proxies instead. (You don't need to NAT for a VPN). Otherwise, if you really ought to do NAT for some internal application to reach the internet, then you should setup a separated VPN-gateway. One machine does NAT/Firewall/Internet-Access, the other is for VPN communications. For configuration of SuSEfirewall2 I advise you to have a look at the FW_SERVICES_EXTERNAL_IP parameter, where you should have 47 or GRE as value. OR, as you could place a VPN Gateway in the DMZ as well, you would then use FW_SERVICES_DMZ_IP instead. HTH, Philipp Rusch Rainer Hofmeister schrieb:
Hi,
I'm trying to build a VPN tunnel from an internal Win2K machine to a server on the Internet (also MS). We are using a SuSEfirewall2 (SuSE 7.3) to protect our internal Lan. The internal Lan is masqueraded.
Is there a way to configure the firewall to allow VPN connections from the Win2K machine?
I opened the following ports in FW_MASQ_NETS:
10.0.0.0/24,0/0,tcp,1723 10.0.0.0/24,0/0,udp,1723 10.0.0.0/24,0/0,tcp,47 10.0.0.0/24,0/0,udp,47 10.0.0.0/24,0/0,udp,500
This didn't work. I read somewhere that the communication over port 47 is not tcp or udp but gre. Since I can't set that in SuSEfirewall2 I tried to open up the complete network by using:
10.0.0.0/8
This didn't help, either. Connecting the Win2K machine directly to the ISDN router works so there seems to be no problem with its configuration.
Is it possible to configure VPN over SuSEfirewall2 at all? If yes, what am I doing wrong?
Best regards, Rainer
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
this is a protocol number 47, NOT PORT 47 !!!
As you already noticed, this goes along with tcp or udp or icmp, other VPN connections use ESP (protocol no. 50) and/or AH (proto 51).
Have a look at the /etc/protocols file for a short definition. If using GRE-protocol, you are using L2TP, then ?
Just as a side note SuSEfirewall doesn't support pptp traffic. It can be compiled as a beta version into IPTABLES. So if thats what your trying dont waste your breath. If you feel brave go get the latest pom patch from netfilter.org and install the pptp masquerading patch. Note this only supports one connection at a time. With regards to L2TP I'm not sure what this implementation requires. Note protocol 47 and the GRE protocol are the same thing. I've been trying to support this for a while, with no stable solution so basically I'm using a freeswan IPSEC firewall via my internet gateways. FreeSwan is included in your SuSE distru. If you feel real brave get a 2.5.50 kernel and compile the IPSEC modules.
On Thu, Feb 06, 2003 at 09:16:03PM +0100, Philipp Rusch wrote:
this is a protocol number 47, NOT PORT 47 !!!
Have a look at the /etc/protocols file for a short definition. If using GRE-protocol, you are using L2TP, then ?
Generally speaking it is a great difficulty to get a VPN running over a NAT-gateway, so the most common setup is not to do NAT and use proxies instead. (You don't need to NAT for a VPN). sometimes you have to, anyways, if you don't have control of all partners. :( Otherwise, if you really ought to do NAT for some internal application to reach the internet, then you should setup a separated VPN-gateway. One machine does NAT/Firewall/Internet-Access, the other is for VPN communications. what if you have exactly one external IP?
For configuration of SuSEfirewall2 I advise you to have a look at the FW_SERVICES_EXTERNAL_IP parameter, where you should have 47 or GRE as value. OR, as you could place a VPN Gateway in the DMZ as well, you would then use FW_SERVICES_DMZ_IP instead.
yes. and:
Is there a way to configure the firewall to allow VPN connections from the Win2K machine?
I opened the following ports in FW_MASQ_NETS:
10.0.0.0/24,0/0,udp,1723
afaicr, for L2TP, this was 1701, not 1723? Lars
Hello, in my apache log I find **.**.***.*** - - [08/Feb/2003:21:23:46 +0100] "GET http://irc.stealth.net:5558/ HTTP/1.1" 200 362 What is happening here? I don't host an irc server. How can apache return a page that does not exist but is a website or irc server ((as judged by the 200 response)? Is this an error in my setup? Thanks, Ruud
participants (5)
-
Lars Ellenberg -
Philipp Rusch -
Rainer Hofmeister -
studio3arc.com Admin -
support