HPE Community
Operating System - Linux
1756706 Members
2184 Online
108852 Solutions
New Discussion юеВ

Re: IPtables And VPN Masq

 
Diego_18
Occasional Contributor

тАО11-03-2002 10:30 PM

тАО11-03-2002 10:30 PM

IPtables And VPN Masq

Hi , i have an RH 7.1 Working With an adsl connection , as a NAT gateway without a firewall , but when the users of the GW try to acces to a VPN from the company just only one User can acces to the VPN connection , and the others users Can??t.... somebody knows Why is this Happend?
Thanks a lot !!!
Diego
0 Kudos
Reply
5 REPLIES 5
Mark Bainter
Advisor

тАО11-13-2002 01:35 PM

тАО11-13-2002 01:35 PM

Re: IPtables And VPN Masq

Hrm. Most likely this is due to your using NAT. Can you paste up your iptables rules that you have?
0 Kudos
Reply
Mark Bainter
Advisor

тАО11-14-2002 07:49 AM

тАО11-14-2002 07:49 AM

Re: IPtables And VPN Masq

Also, what kind of vpn is it? Commercial? If so which? Does it use IPSEC or PPTP?
0 Kudos
Reply
Admin32
Advisor

тАО01-22-2003 12:59 AM

тАО01-22-2003 12:59 AM

Re: IPtables And VPN Masq

There are issues with VPN and NAT. Depending on your VPN configuration, it might fail.


We have a VPN connection here in the office(Greece) to the US and in order to allow users to access the vpn, they run through the Linux gateway where NAT -MASQ is performmed and then the packets are routed to the VPN hardware interface. The important detail here is that all traffic which is for the VPN MUST pass through the NAT-MASQ device before it hits any vpn hardware/software client.

If you try to route vpn packets through the NAT-MASQ gateway - after they have been encrypted by your VPN client, then they will fail because NAT-MASQ makes changes to the Source IP address of the packet and recalculates the IP cheader checksum, inother words the vpn packet is modifed and fails its crc once its received on the other end.

0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-22-2003 06:18 AM

тАО01-22-2003 06:18 AM

Re: IPtables And VPN Masq

Here is a basic iptables configuration.

The last line is commented, it can be uncommented to make the two interface machine a router,firewall enabling internet access to users of your internal network via SNAT

You will have to open port 1723 to add vpn to this configuration.

P
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-22-2003 06:20 AM

тАО01-22-2003 06:20 AM

Re: IPtables And VPN Masq

I'm sorry, I also have two further recommendations.

Do the 7.3 upgrade, its the last release and is extremely stable.

There is a very good book that helps with a lot of these issues.

Red Hat Linux 7.3 bible. Though there are some typos in the examples, its still a very useful book.

It has saved my tush a number of times.

P
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.