/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Hi, I am having a problem with a M$ box trying to run a VPN client through a Linux gateway out to the server VPN. The Linux system is RH6.2, kernel 2.2.14-5, with ipchains configured simply to do masquerading of the private class C systems. Here is the pertinant config stuff snipped from /etc/rc.d/rc.local: #----#----#----#----#----#----#----#----#----#----#----#----#----#----#----# extint="eth0" intnet="192.168.1.0/24" echo "1" > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F forward /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ /sbin/ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT #----#----#----#----#----#----#----#----#----#----#----#----#----#----#----# Now, the masquerading/ipchains setup works just fine for those systems on the private subnet, but the VPN client cannot get connected to the server at the remote end. So, I ran tcpdump on both NICs to capture traffic and see why the VPN was not getting connected/initialized. The public class B network is on the "eth0" NIC and the private class C is on the "eth1" NIC. I can see the M$ client sending these packets on "eth1": 17:28:00.130385 < 192.168.1.9.500 > 192.108.63.131.500: isakmp v0.0 from:c7bb6221 to: 6a09c9b9 msgid:00000000 length 17826816 [|isakmp] 17:28:08.160144 < 192.168.1.9.500 > 192.108.63.131.500: isakmp v0.0 from:c7bb6221 to: 6a09c9b9 msgid:00000000 length 17826816 [|isakmp] 17:28:15.808246 < 192.168.1.9.500 > 192.108.63.131.500: isakmp v0.0 from:c7bb6221 to: 6a09c9b9 msgid:00000000 length 17826816 [|isakmp] and over on the "eth0" NIC, I can see the masqueraded result going out onto the public class B network: 17:28:00.130448 > 129.20.238.96.61010 > 192.108.63.131.500: isakmp v0.0 from:c7bb6221 to: 6a09c9b9 msgid:00000000 length 17826816 [|isakmp] 17:28:08.160208 > 129.20.238.96.61010 > 192.108.63.131.500: isakmp v0.0 from:c7bb6221 to: 6a09c9b9 msgid:00000000 length 17826816 [|isakmp] 17:28:15.808306 > 129.20.238.96.61010 > 192.108.63.131.500: isakmp v0.0 from:c7bb6221 to: 6a09c9b9 msgid:00000000 length 17826816 [|isakmp] There are no reply packets returned by the remote end. After these 3 packets are sent out, the client determines that this is an error condition, and issues a dialog box saying: "Login Failure due to: Remote host not responding". If I reconnect this M$ box back onto the class B subnet, and retry the VPN session, it works flawlessly. So, I surmise that the VPN server is expecting the source port to be 500, and when it isn't, it ignores the request, and drops the packets. So, my questions to you are: 1. How can I change the masquerading to just mangle the IP address but not the source port? 2. If ipchains cannot do this, how would I do this with iptables? Something like SNAT plus masq'ing? Thanks for any assistance you can provide in solving this problem. ed _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
