Ok, having experimented a little more I can add these facts.
1. LAN systems DO see the proxy arp for the VPN host
2. A traceroute from the LAN gets as far as the SME box.
3. The VPN host does see a route through the VPN to the SME box.
4. A traceroute from the host gets as far as the SME box
So... my new question is "WHat do I need to do to actually
have the SME box forward the packets? Is it a matter of the
Chains? Is it a kernel parameter? What am I missing?"
TIA
EEhud Gavron wrote:
>
> We have a PIX firewall connecting our internal network to the
> Internet.
>
> We have an SME server which is set to "Server Only" mode
> and sits on the DMZ of the PIX.
>
> We have connected the second interface of the SME server
> to the Internal network, and wish to use it as a PPTP gateway
> for external users to access the internal network.
>
> (Side note:
> our version of the PIX does not support VPNs or we would have
> used it for this. Side note 2: we do not want the E-smith box
> doing full time routing between the two... so the PIX stays.)
>
> So the BIG question I have is
> "How do I enable PPTP and the second interface without
> turning it into a Gateway box" or "Is there a harm in turning
> it into a gateway box?"
>
> Here's what I did do:
> 1. ifconfig eth1 ip.address.on.inside
> it pings local net fine
> 2. I can form a VPN to it from my home PC, and I can
> ping the e-smith server fine. Traceroute shows it
> one hop away (ergo routing through the tunnel
>
> 3. I CANNOT ping, trace etc. THROUGH the box
> to the local net.
>
> My guess is the box is NOT doing proxy-arp for the
> remote system at the end of the tunnel.
>
> So I guess I would like to know if there is a way to
> "enable pptp service" the right way so it works...
> or what assumptions I'm making that are wrong or
> unnecessary.
>
> Any help appreciated. I am an IP internals jockey,
> but not much of an e-smith jockey.
>
> Ehud
> gavron@wetwork.net
2 Replies
613 Views