It look like IP protocol 47 (GRE) is block on eth0. How many nic do you have? how do you connect to the internet? ADSL or Cable modem? Try this at the command prompt and then try to connect. ipchains -P INPUT ACCEPT
Check you INPUT and OUTPUT for any DENY ipchains -L INPUT -v ipchains -L OUTPUT -v Huy ----- Original Message ----- From: "Matthew Schneider" <[EMAIL PROTECTED]> To: "'Huy Bui'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, January 07, 2004 11:33 PM Subject: RE: [important] Re: [leaf-user] Inside Client PPTP Connection With FreeS/WAN Site-To-Site Connection > Hi, > > Ok, I loaded the ip_masq_pptp.o module, but it still does not work. I get > the following in my log: > > Jan 7 17:22:32 Richmond_Firewall kernel: ip_masq_pptp_tcp(): > OUT_CALL_REQUEST 192.168.1.2 -> (PIX Address) CID=8000 MCID=EF39 > Jan 7 17:22:32 Richmond_Firewall kernel: ip_demasq_pptp_tcp(): > OUT_CALL_REPLY 192.168.1.2 -> (PIX Address) CID=8000 MCID=EF39 > Jan 7 17:22:32 Richmond_Firewall kernel: Packet log: input DENY eth0 > PROTO=47 (PIX Address):65535 (My Public IP):65535 L=55 S=0x00 I=14025 > F=0x0000 T=243 (#48) > Jan 7 17:22:32 Richmond_Firewall kernel: Packet log: input DENY eth0 > PROTO=47 (PIX Address):65535 (My Public IP):65535 L=78 S=0x00 I=14026 > F=0x0000 T=243 (#48) > <-Some Duplicate Lines Omitted-> > Jan 7 17:23:05 Richmond_Firewall kernel: Packet log: input DENY eth0 > PROTO=47 (PIX Address):65535 (My Public IP):65535 L=55 S=0x00 I=14045 > F=0x0000 T=243 (#48) > Jan 7 17:23:05 Richmond_Firewall kernel: Packet log: input DENY eth0 > PROTO=47 (PIX Address):65535 (My Public IP):65535 L=78 S=0x00 I=14046 > F=0x0000 T=243 (#48) > Jan 7 17:23:08 Richmond_Firewall kernel: Packet log: input DENY eth0 > PROTO=47 (PIX Address):65535 (My Public IP):65535 L=55 S=0x00 I=14047 > F=0x0000 T=243 (#48) > Jan 7 17:23:09 Richmond_Firewall kernel: ip_masq_pptp_tcp(): > CALL_DISCONNECT_NOTIFY 192.168.1.2 -> (PIX Address) CID=8000 MCID=EF39 > Am I correct that I will need to allow port 65535 to come in? Is it safe to > allow that? I periodically look through my logs and I notice a lot of > traffic on that port from various sources. I read somewhere that it had to > do with fragmented packets. > I have also put the PIX address in the hosts.allow file. If I need to allow > the port, where in the file of firewall rules will I need to place it. I > have tried adding something before, but I never can seem to pick out the > right spot to put it. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Huy Bui > Sent: Wednesday, January 07, 2004 3:25 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: [important] Re: [leaf-user] Inside Client PPTP Connection > With FreeS/WAN Site-To-Site Connection > > > Then you need to load the ip_masq_pptp.o (kernel 2.2) for client behind LEAF > to work. > Huy > ----- Original Message ----- > From: "Matthew Schneider" <[EMAIL PROTECTED]> > To: "'Lynn Avants'" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Tuesday, January 06, 2004 10:43 PM > Subject: RE: [important] Re: [leaf-user] Inside Client PPTP Connection With > FreeS/WAN Site-To-Site Connection > > > > Hi, > > > > Sorry, my first post might have been a little misleading. The Pix is not > > behind one of the Leaf boxes. It is at my job. The firewalls are located > at > > my house and another family member's house. The only thing that is behind > > the firewall is my Windows 2000 client machine. Would the port forwarding > > still apply to this situation? > > > > Matthew > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Lynn Avants > > Sent: Monday, January 05, 2004 11:09 PM > > To: [EMAIL PROTECTED] > > Subject: [important] Re: [leaf-user] Inside Client PPTP Connection With > > FreeS/WAN Site-To-Site Connection > > > > > > On Monday 05 January 2004 09:18 pm, Matthew Schneider wrote: > > > Hi, > > > > > > I am currently have 2 sites with a Leaf 2.2.19-3 Firewall at each site. > I > > > am using FreeS/Wan to create a site-to-site vpn between the two > firewalls. > > > This setup has been working fine for a while. I have run into a > situation > > > where I need to use the Microsoft VPN client to make a PPTP connection > to > > a > > > Pix firewall at work from a machine on the inside of one of the > firewalls. > > > Currently, the connection to the Pix fails behind the firewall. Is it > > > possible to make the PPTP connection to the pix and still keep the > > > site-to-site VPN. If so, what configurations changes would I need to > make > > > on the firewall? > > > > Ipsec and PPTP are entirely different VPN protocols and this is not a > > problem > > to co-exist. You need to port forward the PPTP service through the > firewall > > to > > the ip address of the PIX box. (GRE protocol, load the ip_masq_pptp > module, > > and the corresponding ports ...that I don't remember off the top of my > > head). > > -- > > ~Lynn Avants > > Linux Embedded Appliance Firewall Developer > > http://leaf.sourceforge.net > > http://guitarlynn.homelinux.org:81 > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: IBM Linux Tutorials. > > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > > ------------------------------------------------------------------------ > > leaf-user mailing list: [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: IBM Linux Tutorials. > > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > > ------------------------------------------------------------------------ > > leaf-user mailing list: [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > > ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
