Hi folks, I want to make sure I understand what Dennis was trying to do (and successfully achieved, way to go Dennis!), because I think I'd like to do the same - He wants to be able to VPN to his company's' office LAN from his home LAN, in which he's behind a LEAF box...do I have that right? He, in effect, had to load IPSec to his LEAF box, and then open a port in order to be able to connect. Is that right??? Thanks...and HAPPY NEW YEAR!!!
Best Regards, Craig -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dennis Christilaw Sent: Monday, December 30, 2002 7:20 PM To: 'Lynn Avants' Cc: 'leaf-user' Subject: RE: [leaf-user] VPN/Port Mapping... SUCCESS!!! WHOOOOOO!!! I finally figured it out!!! Thanks for all the pointers!!!! Ok... For the solution.... Now remember, I am running an LRP distro of Linux (http://lrp.steinkuehler.net/index.html) and am performing an IPSec VPN Passthrough Connection (VPN from Client behind Firewall to VPN Gateway Server). I am not connecting one network to another or enabling VPN access into my network... With all that said, here I go! As you read from the above posts, I needed to get the IPSec Module loaded. Fortunately, it was included in the CD-ROM version of the distro that I am running, it was just a matter of editing the Modules File and uncoment the line with "ip_masq_ipsec" in it. In case you are running a floppy only version, you need to download the module "ip_masq_ipsec.o" module. Once this is done, you need to edit the "/etc/network.conf" file. You can do this manually or through the Menu Interface (the easy way to get to the file). You may want to refer to a document by Lynn Avants about port forwarding with this Distro located here: http://sourceforge.net/docman/display_doc.php?docid=10418&group_id=13751 Ok... Once you get the "/etc/network.conf" file open, you need to scroll down to where you see "IP FILTER SETUP". Under there, you want to add some stuff: Go to: ## UDP services open to outside world Add: EXTERN_UDP_PORTS="0/0_500" Where the 0/0 is, you can add the IP/Gateway to the VPN on the outside (company's VPN Gateway). Go to: ##Generic services open to outside world Add: EXTERN_PROTO0="50 0/0 192.168.1.25/24" Again, where the 0/0 is, you can add the IP/Gateway to the VPN on the outside (company's VPN Gateway). The 0/0 (that is the number ZERO and not the letter "O") accepts connections from anywhere on the net. This is what I used in my case due to my company having multiple IP's for their VPN Gateway and I did not want to have to track them all down. The 192.168.1.25 in this case would be the Static IP address of the client that needs to perform the VPN passthrough. I have heard you can do this with the client having a dynamic IP, but static is more stable I guess. I perfer static in my case. Ok... now for the port forwarding... While you have the "/etc/network.conf" file open, add the following: Go to: ##Port Forwarding Add: INTERN_SERVERS="udp_${EXTERN_IP}_500_192.168.1.25_500" Now, add it EXACTLY like that (with the exception of the internal IP address for the client). The variable ${EXTERN_IP} is used so you don't have to input an ip for your xDSL/Cable connection since most of us have static IP's... Now you have all that done, you need to back the /etc onto your floppy (use the backup option in the menu) and re-start the box. Once it is back up and running, you should have VPN Passthrough working!!! *NOTE* PLEASE remember that I am using an LRP distro of Linux (http://lrp.steinkuehler.net/index.html). This may work with others, so PLEASE read the documentation that came with yours. Now, I am no expert, and tried to explain it the way I understood, please correct anything that is incorrect. THANKS ALL!!! Have Phun!!! -----Original Message----- From: Lynn Avants [mailto:[EMAIL PROTECTED]] Sent: Sunday, December 29, 2002 12:27 PM To: Dennis Christilaw Cc: leaf-user Subject: Re: [leaf-user] VPN/Port Mapping... On Sunday 29 December 2002 12:25 pm, you wrote: > Thanks for the info! > > I looked through the document that you provided the link for and it > tells me to do essentially what you stated below (opening the firewall > and port forwarding), the only thing is... It does not really go into > HOW to do it. Well, I can't implicitly go into _exactly_ how to do it, since this is a general howto that covers _any_ ipsec server setup on _any_ distro. The _exact_ ways to open a firewall and port-forward ports through is dependant on the _exact_ image/distro you are using......this varies extremely between the LEAF variants themselves (ie... DF and Bering are not similar in the least). However on the bright side, this information for your exact setup are easily found by searching the leaf-user mailing-list archives (try: ipsec pass-through Dachstein). Assume to make minimal effort to find some of this FAQ information for yourself. Shoot, the "Port-forwarding with Dachstein" FAQ I wrote in the leaf/doc/faq section might help as well! ;-) > It stated editing the "/etc/ipsec.conf", but is this a > file I need to ADD or is this somewhere in the configuration menu of the > CD Distro? Where on the CD do I need to place this file > ("\lib\modules\net")??? It doesn't state you need to edit "/etc/ipsec.conf" for pass-through operation. If you read the configuration section under "pass-through", it states that all you need to do is load the "ip_masq_ipsec.o" module. "/etc/ipsec.conf" is the configuration file of the "ipsec.lrp" package, which you have no use for since you are running pass-through. > Do I need the "ipsec.o" module as stated below > or the "ip_masq_ipsec.o" as stated in the documentation? The ip_masq_ipsec.o module is what you need, since this helps the ipsec implementation work correctly through NAT. If you have looked in Charles' kernel modules, you will probably notice that there is no "ipsec.o", only "ip_masq_ipsec.o". This module will go into the "/lib/modules" directory on your DCD box and will require that you call it from "/etc/modules" and save the "modules" package. I hope this helps, ~Lynn Avants ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
