Jens Hafner, 2002-Aug-11 17:40 +0200: > Hi, > > I'm trying to connect my Win2k professional Laptop to my company's VPN. > I am using the "Nortel Extranet Access Client V02_62.33", which uses the > IPSec protocol. Everything just works fine as long as the laptop is > directly connected to the Internet (e.g. by a dialup connection). Things > start to break as soon as I connect the laptop to my private network > (192.168.0.0/24) whose default gateway is a debian (woody, kernel > 2.2.19) box. I configured the gateway to accept protocol 50 packages and > port 500 connections in the following way: > > ----------%<---------------%<-----------------%<--------- > /sbin/ipchains -I input -p udp --dport 500 --sport 500 -j ACCEPT > /sbin/ipchains -I output -p udp --dport 500 --sport 500 -j ACCEPT > /sbin/ipchains -I input -p 50 -j ACCEPT > /sbin/ipchains -I output -p 50 -j ACCEPT > ----------%<---------------%<-----------------%<--------- > > I also configured the kernel to masquerade all packages: > > ----------%<---------------%<-----------------%<--------- > /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ > ----------%<---------------%<-----------------%<--------- > > The extranet client always gives me an error message like: > "BannerSock: The attempt to connect timed out without establishing a > connection". I couldn't find any documentation covering this case on the > net. All I found were lots of documents where the Linux box was one end > of the VPN connection itself but none covered my case in which the > debian box only masquerades and forwards the encrypted packages packets. > My questions are: Am I misconfiguring anything? > I am using the original kernel. Do I need to patch the kernel? > > Thanks for your help > > Jens
Jens, I too use the Nortel Client, both the Windows 2000 one and the Linux (Netlock) client. It works perfectly from my private network (192.168.0.0/24) through my gateway. I can even have multiple PC's with a client running at the same time. The gateway runs Woody 3.0 with a 2.4.18 kernal with iptables. I have 2 nics, one on the public side connected to a cable modem (eth0) and the other on the private side connected to a hub with some other PC's (eth1). Here's my nat policy: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE I have some other rules that allow web and ssh, but nothing specified for IPSec. The statefullness of the iptables firewall makes this work perfectly. I don't know enough about ipchains in the 2.2 kernel to help with that. I can only suggest getting the 2.4 kernel running since that's how it works for me. jc -- Jeff Coppock Systems Engineer Diggin' Debian Admin and User
