Hi Rainer,

I'm trying to build a VPN tunnel from an internal Win2K machine to a server on the Internet (also MS). We are using a SuSEfirewall2 (SuSE 7.3) to protect our internal Lan. The internal Lan is masqueraded.

What do you want to achieve? VPN via PPTP or L2TP? PPTP uses protocol 47 (GRE) and protocol TCP port 1723 L2TP uses protocol 50 and/or 51 and protocol UPD port 500 src/dst and protocol UPD port 1701 as tunnel maintenaince

Is there a way to configure the firewall to allow VPN connections from the Win2K machine?

I opened the following ports in FW_MASQ_NETS:

10.0.0.0/24,0/0,tcp,1723 10.0.0.0/24,0/0,udp,1723 10.0.0.0/24,0/0,tcp,47 10.0.0.0/24,0/0,udp,47 10.0.0.0/24,0/0,udp,500

As far as I know L2TP/IPSEC needs a NAT Traversal patch to be usable with masquerading. I'm using both PPTP and L2TP but with official IP's and without masquerading and my FW_FORWARD rules are as follows: a.b.c.d ==> W2K-Server with RRAS 0/0 ==> Mobile VPN Clients (W2K) PPTP first: FW_FORWARD="a.b.c.d/32,0/0,47 0/0,a.b.c.d/32,47 \ a.b.c.d/32,0/0,tcp,1024:65536 0/0,a.b.c.d/32,tcp,1723" and now L2TP: FW_FORWARD="a.b.c.d/32,0/0,50 0/0,a.b.c.d/32,50 \ a.b.c.d/32,0/0,udp,500 0/0,a.b.c.d/32,udp,500" You don't need a rule for UPD port 1701 because all the tunnel maintenaince will be done within the ESP packets and the Linux fw won't see these - their are encrypted. By the way you don't mention the use of certificates and so I believe you are going to do the simplier PPTP VPN. To raise the security level of the network it is a good idea to do input and output-filtering at the VPN-Server - only accept the packets you need for the VPN at the network card connecting to the firewall. Yust in case the firewall gets compromised.

Is it possible to configure VPN over SuSEfirewall2 at all? If yes, what am I doing wrong?

VPN over SuSEfirewall2 is no big deal, if you are using official IP's. I think VPN via PPTP is possible with masquerading, but I don't do it this way and so I'm not quite helpful. L2TP/IPSEC is not so easy, because the Microsoft implementation needs digital certifactes AND you have the problem with the masquerading.

Best regards, Rainer

Best luck Ronald --