Eric, In the how-to Charles refered to, read section 6.1. It basically says that you may not be able to masquared your IPSec connection, based on the AH and ESP protocols that are used. There-in is the problem for connecting to a Win2000 VPN server. You IS people may be able to find a way around this, but it weakens security. PPTP may be easier for them to configure and it masquared better, but that goes back to security.
cheers edt ----- Original Message ----- From: "Charles Steinkuehler" <[EMAIL PROTECTED]> To: "Eric Friedman" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, January 14, 2002 11:37 AM Subject: Re: [Leaf-user] Connecting to my company's Win2k server via VPN with L2TP/IPsec > > Third, I know very little about Linux -- largely because I lack > > experience -- but I was wondering if someone might point me in the right > > direction on this problem. As an additional bit of information, a guy > > in the IS department informed me that UDP ports 500 and 1701 would be > > involved in the solution, but I am not certain how to act on this > > information in configuring my router. > > > > I have begun to look at the ipsec.lrp package available for Dachstein, > > but I have not been able to use it to solve my problems. I do not know, > > however, if this is a fault in my configuration of the package or if the > > package does not support Level 2 Tunneling (L2TP). > > You probably don't want the IPSec software running on your firewall. You > can leave the IPSec client on your windows box, but you'll need masquerading > support for the IPSec protocol. There's a VPN-Masquerading HOWTO available: > http://linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html > > Basically, you need to load the ip_masq_ipsec masquerade helper module, and > allow UDP port 500 and IP protocol 50 traffic between your firewall and the > VPN peer. > > For the kernel module, just make sure ip_masq_ipsec.o is in /lib/modules, > and make sure it's being loaded in /etc/modules. > > To setup the firewall rules, you'll need something like: > EXTERN_UDP_PORTS="0/0_500" > EXTERN_PROTO0="50 0/0" > > NOTE: You can change the 0/0 (the whole internet) to the particular IP > address(es) of the far end of your VPN system, if there's a short list of > IP's you'll be connecting to. > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
