Hi, I tried these steps, and the connection works. I will attach the output from the ipchains -L FORWARD -v. What do I need to do next?
Thanks, Matthew -----Original Message----- From: Huy Bui [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 6:55 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [important] Re: [leaf-user] Inside Client PPTP Connection With FreeS/WAN Site-To-Site Connection In your INPUT chain you have this 152 6372 DENY all ----l- 0xFF 0x00 eth0 anywhere anywhere n/a Which mean you deny anything that you don't ACCEPT explicitely on eth0 (which i assume your internet facing nic) To trouble shoot temporarily flush the INPUT chain with ipchains -F INPUT and ipchains -P INPUT ACCEPT then try to connect and check the log Huy ----- Original Message ----- From: "Matthew Schneider" <[EMAIL PROTECTED]> To: "'Huy Bui'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, January 08, 2004 11:40 AM Subject: Re: [leaf-user] Inside Client PPTP Connection With FreeS/WAN Site-To-Site Connection > Hi, > > I have 2 NICs. I connect to the internet through a cable modem. > I tried the command, but it still does not work. I get the same output in my > logs. I saved a copy of the output from the 2 ipchains commands before I > added the accept and after. I will attach those. I didn't see anything > specifically denying protocol 47, but I might not be reading it right. Your > help is much appreciated. > > Matthew > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Huy Bui > Sent: Thursday, January 08, 2004 3:40 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: [important] Re: [leaf-user] Inside Client PPTP Connection > With FreeS/WAN Site-To-Site Connection > > > It look like IP protocol 47 (GRE) is block on eth0. > How many nic do you have? how do you connect to the internet? ADSL or Cable > modem? > Try this at the command prompt and then try to connect. > ipchains -P INPUT ACCEPT > > Check you INPUT and OUTPUT for any DENY > ipchains -L INPUT -v > ipchains -L OUTPUT -v > Huy > ----- Original Message ----- > From: "Matthew Schneider" <[EMAIL PROTECTED]> > To: "'Huy Bui'" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Wednesday, January 07, 2004 11:33 PM > Subject: RE: [important] Re: [leaf-user] Inside Client PPTP Connection With > FreeS/WAN Site-To-Site Connection > > > > Hi, > > > > Ok, I loaded the ip_masq_pptp.o module, but it still does not work. I get > > the following in my log: > > > > Jan 7 17:22:32 Richmond_Firewall kernel: ip_masq_pptp_tcp(): > > OUT_CALL_REQUEST 192.168.1.2 -> (PIX Address) CID=8000 MCID=EF39 > > Jan 7 17:22:32 Richmond_Firewall kernel: ip_demasq_pptp_tcp(): > > OUT_CALL_REPLY 192.168.1.2 -> (PIX Address) CID=8000 MCID=EF39 > > Jan 7 17:22:32 Richmond_Firewall kernel: Packet log: input DENY eth0 > > PROTO=47 (PIX Address):65535 (My Public IP):65535 L=55 S=0x00 I=14025 > > F=0x0000 T=243 (#48) > > Jan 7 17:22:32 Richmond_Firewall kernel: Packet log: input DENY eth0 > > PROTO=47 (PIX Address):65535 (My Public IP):65535 L=78 S=0x00 I=14026 > > F=0x0000 T=243 (#48) > > <-Some Duplicate Lines Omitted-> > > Jan 7 17:23:05 Richmond_Firewall kernel: Packet log: input DENY eth0 > > PROTO=47 (PIX Address):65535 (My Public IP):65535 L=55 S=0x00 I=14045 > > F=0x0000 T=243 (#48) > > Jan 7 17:23:05 Richmond_Firewall kernel: Packet log: input DENY eth0 > > PROTO=47 (PIX Address):65535 (My Public IP):65535 L=78 S=0x00 I=14046 > > F=0x0000 T=243 (#48) > > Jan 7 17:23:08 Richmond_Firewall kernel: Packet log: input DENY eth0 > > PROTO=47 (PIX Address):65535 (My Public IP):65535 L=55 S=0x00 I=14047 > > F=0x0000 T=243 (#48) > > Jan 7 17:23:09 Richmond_Firewall kernel: ip_masq_pptp_tcp(): > > CALL_DISCONNECT_NOTIFY 192.168.1.2 -> (PIX Address) CID=8000 MCID=EF39 > > Am I correct that I will need to allow port 65535 to come in? Is it safe > to > > allow that? I periodically look through my logs and I notice a lot of > > traffic on that port from various sources. I read somewhere that it had to > > do with fragmented packets. > > I have also put the PIX address in the hosts.allow file. If I need to > allow > > the port, where in the file of firewall rules will I need to place it. I > > have tried adding something before, but I never can seem to pick out the > > right spot to put it. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Huy Bui > > Sent: Wednesday, January 07, 2004 3:25 AM > > To: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subject: Re: [important] Re: [leaf-user] Inside Client PPTP Connection > > With FreeS/WAN Site-To-Site Connection > > > > > > Then you need to load the ip_masq_pptp.o (kernel 2.2) for client behind > LEAF > > to work. > > Huy > > ----- Original Message ----- > > From: "Matthew Schneider" <[EMAIL PROTECTED]> > > To: "'Lynn Avants'" <[EMAIL PROTECTED]> > > Cc: <[EMAIL PROTECTED]> > > Sent: Tuesday, January 06, 2004 10:43 PM > > Subject: RE: [important] Re: [leaf-user] Inside Client PPTP Connection > With > > FreeS/WAN Site-To-Site Connection > > > > > > > Hi, > > > > > > Sorry, my first post might have been a little misleading. The Pix is not > > > behind one of the Leaf boxes. It is at my job. The firewalls are located > > at > > > my house and another family member's house. The only thing that is > behind > > > the firewall is my Windows 2000 client machine. Would the port > forwarding > > > still apply to this situation? > > > > > > Matthew > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Behalf Of Lynn Avants > > > Sent: Monday, January 05, 2004 11:09 PM > > > To: [EMAIL PROTECTED] > > > Subject: [important] Re: [leaf-user] Inside Client PPTP Connection With > > > FreeS/WAN Site-To-Site Connection > > > > > > > > > On Monday 05 January 2004 09:18 pm, Matthew Schneider wrote: > > > > Hi, > > > > > > > > I am currently have 2 sites with a Leaf 2.2.19-3 Firewall at each > site. > > I > > > > am using FreeS/Wan to create a site-to-site vpn between the two > > firewalls. > > > > This setup has been working fine for a while. I have run into a > > situation > > > > where I need to use the Microsoft VPN client to make a PPTP connection > > to > > > a > > > > Pix firewall at work from a machine on the inside of one of the > > firewalls. > > > > Currently, the connection to the Pix fails behind the firewall. Is it > > > > possible to make the PPTP connection to the pix and still keep the > > > > site-to-site VPN. If so, what configurations changes would I need to > > make > > > > on the firewall? > > > > > > Ipsec and PPTP are entirely different VPN protocols and this is not a > > > problem > > > to co-exist. You need to port forward the PPTP service through the > > firewall > > > to > > > the ip address of the PIX box. (GRE protocol, load the ip_masq_pptp > > module, > > > and the corresponding ports ...that I don't remember off the top of my > > > head). > > > -- > > > ~Lynn Avants > > > Linux Embedded Appliance Firewall Developer > > > http://leaf.sourceforge.net > > > http://guitarlynn.homelinux.org:81 > > > > > > > > > ------------------------------------------------------- > > > This SF.net email is sponsored by: IBM Linux Tutorials. > > > Become an expert in LINUX or just sharpen your skills. Sign up for > IBM's > > > Free Linux Tutorials. Learn everything from the bash shell to sys > admin. > > > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > > > ------------------------------------------------------------------------ > > > leaf-user mailing list: [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > > > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.net email is sponsored by: IBM Linux Tutorials. > > > Become an expert in LINUX or just sharpen your skills. Sign up for > IBM's > > > Free Linux Tutorials. Learn everything from the bash shell to sys > admin. > > > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > > > ------------------------------------------------------------------------ > > > leaf-user mailing list: [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > > > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: IBM Linux Tutorials. > > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > > ------------------------------------------------------------------------ > > leaf-user mailing list: [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > > > > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > > ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
