Topic: VPN Masquerading

[Sébastien Dacquin]

How to install the ip_masq_vpn-0.1.1-1.i386.rpm (the command rpm -ivh --force seems to have no effect).
What are exactly the templates modifications to configure and load the module.

[guestFF]

Try use -Uhv ?? (upgrade existing packages, your info isn't enough)

[James Caudill]

I also found that I can not VPN from a PPTP machine behind the e-smith server toa  machine on the Internet.  Where can I find this RPM that is mentioned (ip_masq_vpn-0.1.1-1.i386.rpm)?  Will this RPM package allow me to install the support I need without a need to rebuild the kernel?  Everything that I have read seems to indicate that I need to rebuild the kernel with particular options enabled.  

Thanks for any feedback...

[Sébastien Dacquin]

Hello James,

You can find this package at this URL :

ftp://ftp.e-smith.org/pub/e-smith/contrib/CharlieBrady/RPMS/i386-RH7.0/

But Charlie said to install it with the option "--force".
Gordon told me that we must modifiy the templates in section masq to start the module and he advised me to send a message to this forum.

If you successfuly install this module, let me know how, thanks !

[Gordon Rowell]

Sébastien Dacquin wrote:
> [...]
> But Charlie said to install it with the option "--force".
> Gordon told me that we must modifiy the templates in section
> masq to start the module and he advised me to send a message
> to this forum.
> [...]

This should do it.

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

echo "/sbin/modprobe ip_masq_pptp" > 10masq_pptp

echo "/sbin/modprobe ip_masq_pptp" > 10masq_ipsec

/sbin/e-smith/signal-event remoteaccess-update
/sbin/e-smith/signal-event reboot

Gordon

[Gordon Rowell]

Gordon Rowell wrote:
> [...]
> echo "/sbin/modprobe ip_masq_pptp" > 10masq_ipsec
> [...]

Sigh. Let's try that bit again

echo "/sbin/modprobe ip_masq_ipsec" > 10masq_ipsec

Gordon

[Reid Carlisle]

I have performed all of the operations described in this thread and it is still not working (PPTP or IPSEC) - do I need to do some port forwarding as well??

Reid

[Reid Carlisle]

I will have to give up for now as I got it IPSec Masquerading to work using Coyote and Seawall... e-smith wil still serve my lan but I'll have to wait till 4.0 to make it my gateway machine.

Reid

[Gordon Rowell]

Reid Carlisle wrote:
>
> I will have to give up for now as I got it IPSec Masquerading
> to work using Coyote and Seawall... e-smith wil still serve
> my lan but I'll have to wait till 4.0 to make it my gateway
> machine.

I take it you mean "post 4.1.1"

We would naturally prefer if you helped us to find out why the instructions didn't work for you so we can ensure that we get it right for later releases.

Please show the output of the following commands:

/sbin/lsmod
grep ip_masq /etc/rc.d/init.d/masq

Thanks,

Gordon

[Reid Carlisle]

You are correct - I meant 5.0, but post 4.1.1 is more specific.

Reid

[Reid Carlisle]

I will continue to poke around with it... but I just relocated and had to get connected asap as I had already lost so much time due to the move.

I think I was very close!  I was able to get the ip_masq_ipsec module loaded, the traffic just was not getting forwarded!  The same module worked fine on coyote.  Could the kernel version be the problem?

Reid

[James Caudill]

Gordon,

I do have the output you have requested I think.

[root@gravity /root]# /sbin/lsmod
Module                  Size  Used by
appletalk-fixed        20960  12  (autoclean)
ip_masq_vdolive         1376   0  (unused)
ip_masq_raudio          3008   0  (unused)
ip_masq_quake           1392   0  (unused)
ip_masq_pptp            4560   3
ip_masq_irc             1632   0  (unused)
ip_masq_ipsec           7728   0  (unused)
ip_masq_icq            10144   0  (unused)
ip_masq_h323            3600   0  (unused)
ip_masq_ftp             4256   0  (unused)
ip_masq_cuseeme         1120   0  (unused)
eepro100               16224   2  (autoclean)
usb-uhci               19056   0  (unused)
usbcore                42096   1  [usb-uhci]
aic7xxx               137440   3
[root@gravity /root]#
[root@gravity /root]# grep ip_masq /etc/rc.d/init.d/mas
    /sbin/modprobe ip_masq_cuseeme
    /sbin/modprobe ip_masq_ftp
    /sbin/modprobe ip_masq_h323
    /sbin/modprobe ip_masq_icq
/sbin/modprobe ip_masq_ipsec
    /sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_pptp
    /sbin/modprobe ip_masq_quake
    /sbin/modprobe ip_masq_raudio
    /sbin/modprobe ip_masq_vdolive
[root@gravity /root]#


I did the following:

1.  Downloaded the file ftp://ftp.e-smith.org/pub/e-smith/contrib/CharlieBrady/RPMS/i386-RH7.0/ip_masq_vpn-0.1.1-1.i386.rpm

2.  Copied it to a location on the e-smith server
3.  ran the command 'rpm -Uhv ip_masq_vpn-0.1.1-1.i386.rpm --force'
4.  It appeared to work fine.  No error.
5.  ran the command 'mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq'
6.  ran the command 'cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq'
7.  ran the command 'echo "/sbin/modprobe ip_masq_pptp" > 10masq_pptp'
8.  ran the command 'echo "/sbin/modprobe ip_masq_ipsec" > 10masq_ipsec'
9.  ran the command '/sbin/e-smith/signal-event remoteaccess-update'
10.  ran the command '/sbin/e-smith/signal-event reboot'

After the machine rebooted I once again tried to VPN from my machine on the internal lan to a machine on the internet via the e-smith server.  What I get is that It connects to the server, but it gets stuck trying to do the password authentication.  It just sits at the "verifying username and password..".

I would love to replace my Linksys router with the e-smith product!  Any other suggestions to get this working?

[Ritchie Logan]

I'm thinking about moving to E-Smith, and need to be sure that it will run an IPSEC client before I migrate.

The solution I currently use needs to have port 50 forwarded to the IPSEC client machine (runs Nortel Extranet Client). This works fine.

I might guess that you will need to add the port forwarding RPM as well.

I'm a complete Linux newbie, so if this works can you add it to the bottom of the instruction list in order I can use it when I finally make the jump to E-Smith.

[Gordon Rowell]

Reid Carlisle wrote:
>
> I will continue to poke around with it... but I just
> relocated and had to get connected asap as I had already lost
> so much time due to the move.
>
> I think I was very close!  I was able to get the
> ip_masq_ipsec module loaded, the traffic just was not getting
> forwarded!  The same module worked fine on coyote.  Could the
> kernel version be the problem?

I don't believe so.

However, you will need to accept AH packets through the
packet filter with this addition:

/sbin/ipchains --append input -p 50 -s 0/0 -d $OUTERNET -j ACCEPT

Gordon

[Tim Perry]

I have tried to follow this thread to accomplish VPN connectivity.

Everthing was working , unitil I tried to implement the last command.
This is what I got.

# /sbin/ipchains --append input -p 50 -s 0/0 -d $OUTERNET -j ACCEPT
/sbin/ipchains: host/network -j' not found
Try /sbin/ipchains -h' or '/sbin/ipchains --help' for more information.

Is there something I am missing on this command?