Hi Brian On March 9, 2004 00:38, Brian Horncastle wrote: > Hi all, > > Just wondering if anyone has done this and or has any suggestions / > examples on how to do this. > > I need to forward VPN traffic from the Internet, through the Linux box > (running IPTables), to the W2K VPN Server. >
What kind of VPN are you attempting to setup - IpSec or PPTP. > - I have tried forwarding protocols 47, 50, and 51. > - I have tried forwarding ports 1723 (PPTP), 1701 (L2TP), 500 (ISAKMP) > using TCP and UDP In a recent IETF NAT-T draft, they recommend using UDP 4500 for NAT-T, so you may want to try this as well. > - I understand that L2TP/IPSec does not play nicely with NAT Correct, however there is a patch available from Microsoft for NAT-T clients. Take a look at http://support.microsoft.com/?kbid=818043 >From that document - "Note If you apply the 818043 update to a Windows 2000-based server that is using Routing and Remote Access, the server cannot function as an L2TP/IPSec server in these scenarios. It cannot allow connections from L2TP/IPSec clients when one or more NAT routers is involved. This update is a client-side update only. Server-side NAT-T functionality is a new feature in Windows Server 2003 Routing and Remote Access only. NAT-T server-side support will not be added to Windows 2000 Routing and Remote Access." Which to me pretty much says it can't be done under win2k but you never know. > > If it's useful I can post what I have done so far... but I think I am > probably way off. Have you tried looking at what traffic is getting through, using something like tcpdump, or turned on logging on the fireall and seeing what is being blocked? > > At this time I can't replace the W2K Server with alternatives such as Swan. > I also can't trash the IPTables box in favor of IPCops. > You may have better luck using PPTP, but at the cost of reduced security. There are some iptables modules for pptp connection tracking through nat, but I can't say if they will work either. Martin _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
