Hi, Ok, I loaded the ip_masq_pptp.o module, but it still does not work. I get the following in my log:
Jan 7 17:22:32 Richmond_Firewall kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.168.1.2 -> (PIX Address) CID=8000 MCID=EF39 Jan 7 17:22:32 Richmond_Firewall kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.168.1.2 -> (PIX Address) CID=8000 MCID=EF39 Jan 7 17:22:32 Richmond_Firewall kernel: Packet log: input DENY eth0 PROTO=47 (PIX Address):65535 (My Public IP):65535 L=55 S=0x00 I=14025 F=0x0000 T=243 (#48) Jan 7 17:22:32 Richmond_Firewall kernel: Packet log: input DENY eth0 PROTO=47 (PIX Address):65535 (My Public IP):65535 L=78 S=0x00 I=14026 F=0x0000 T=243 (#48) <-Some Duplicate Lines Omitted-> Jan 7 17:23:05 Richmond_Firewall kernel: Packet log: input DENY eth0 PROTO=47 (PIX Address):65535 (My Public IP):65535 L=55 S=0x00 I=14045 F=0x0000 T=243 (#48) Jan 7 17:23:05 Richmond_Firewall kernel: Packet log: input DENY eth0 PROTO=47 (PIX Address):65535 (My Public IP):65535 L=78 S=0x00 I=14046 F=0x0000 T=243 (#48) Jan 7 17:23:08 Richmond_Firewall kernel: Packet log: input DENY eth0 PROTO=47 (PIX Address):65535 (My Public IP):65535 L=55 S=0x00 I=14047 F=0x0000 T=243 (#48) Jan 7 17:23:09 Richmond_Firewall kernel: ip_masq_pptp_tcp(): CALL_DISCONNECT_NOTIFY 192.168.1.2 -> (PIX Address) CID=8000 MCID=EF39 Am I correct that I will need to allow port 65535 to come in? Is it safe to allow that? I periodically look through my logs and I notice a lot of traffic on that port from various sources. I read somewhere that it had to do with fragmented packets. I have also put the PIX address in the hosts.allow file. If I need to allow the port, where in the file of firewall rules will I need to place it. I have tried adding something before, but I never can seem to pick out the right spot to put it. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Huy Bui Sent: Wednesday, January 07, 2004 3:25 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [important] Re: [leaf-user] Inside Client PPTP Connection With FreeS/WAN Site-To-Site Connection Then you need to load the ip_masq_pptp.o (kernel 2.2) for client behind LEAF to work. Huy ----- Original Message ----- From: "Matthew Schneider" <[EMAIL PROTECTED]> To: "'Lynn Avants'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, January 06, 2004 10:43 PM Subject: RE: [important] Re: [leaf-user] Inside Client PPTP Connection With FreeS/WAN Site-To-Site Connection > Hi, > > Sorry, my first post might have been a little misleading. The Pix is not > behind one of the Leaf boxes. It is at my job. The firewalls are located at > my house and another family member's house. The only thing that is behind > the firewall is my Windows 2000 client machine. Would the port forwarding > still apply to this situation? > > Matthew > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Lynn Avants > Sent: Monday, January 05, 2004 11:09 PM > To: [EMAIL PROTECTED] > Subject: [important] Re: [leaf-user] Inside Client PPTP Connection With > FreeS/WAN Site-To-Site Connection > > > On Monday 05 January 2004 09:18 pm, Matthew Schneider wrote: > > Hi, > > > > I am currently have 2 sites with a Leaf 2.2.19-3 Firewall at each site. I > > am using FreeS/Wan to create a site-to-site vpn between the two firewalls. > > This setup has been working fine for a while. I have run into a situation > > where I need to use the Microsoft VPN client to make a PPTP connection to > a > > Pix firewall at work from a machine on the inside of one of the firewalls. > > Currently, the connection to the Pix fails behind the firewall. Is it > > possible to make the PPTP connection to the pix and still keep the > > site-to-site VPN. If so, what configurations changes would I need to make > > on the firewall? > > Ipsec and PPTP are entirely different VPN protocols and this is not a > problem > to co-exist. You need to port forward the PPTP service through the firewall > to > the ip address of the PIX box. (GRE protocol, load the ip_masq_pptp module, > and the corresponding ports ...that I don't remember off the top of my > head). > -- > ~Lynn Avants > Linux Embedded Appliance Firewall Developer > http://leaf.sourceforge.net > http://guitarlynn.homelinux.org:81 > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
