On Thu, Feb 06, 2003 at 09:16:03PM +0100, Philipp Rusch wrote:
this is a protocol number 47, NOT PORT 47 !!!
Have a look at the /etc/protocols file for a short definition. If using GRE-protocol, you are using L2TP, then ?
Generally speaking it is a great difficulty to get a VPN running over a NAT-gateway, so the most common setup is not to do NAT and use proxies instead. (You don't need to NAT for a VPN). sometimes you have to, anyways, if you don't have control of all partners. :( Otherwise, if you really ought to do NAT for some internal application to reach the internet, then you should setup a separated VPN-gateway. One machine does NAT/Firewall/Internet-Access, the other is for VPN communications. what if you have exactly one external IP?
For configuration of SuSEfirewall2 I advise you to have a look at the FW_SERVICES_EXTERNAL_IP parameter, where you should have 47 or GRE as value. OR, as you could place a VPN Gateway in the DMZ as well, you would then use FW_SERVICES_DMZ_IP instead.
yes. and:
Is there a way to configure the firewall to allow VPN connections from the Win2K machine?
I opened the following ports in FW_MASQ_NETS:
10.0.0.0/24,0/0,udp,1723
afaicr, for L2TP, this was 1701, not 1723? Lars