Topic: Bloody VPN!

[KegRaider]

Ok, I won't beat around the bush.  I want to allow external users access our Win2K Server, which is behind the SME6 server.

<----INTERNET---->
         |
         |
  <--SME 6.01-->     kernel 2.4.20-18.7
         |
         |
<--Win2k Server-->   VPN Server
         |
         |
<--Rest of Network-->


Little mud map.  The WIn2k Server worked fine using ISA (no flames please), the only difference is that I added the SME box (I use SME at home) as SME's web proxy actually works.  The only trouble is that i cannot get VPN to pass through the SME box to get to the ISA box.

I have read heaps of documentation on the internet about the forwarding of protocol 47 (gre) and haven't have any luck creating a script to do it.  I have searched these forums and the links that are similar, but not what i require, didn't seem like they would work.
  http://forums.contribs.org/index.php?topic=24038.msg96075#msg96075
http://forums.contribs.org/index.php?topic=24062.0

Here is the first script i used with no success..
iptables -A PREROUTING -t nat -p tcp --dport 1723 -i ppp0 -j DNAT --to-destination 192.168.10.2:1723
iptables -A PREROUTING -t nat -p gre -i ppp0 -j DNAT --to-destination 192.168.10.2

I just created a file with vi, added this junk, chmod 744, and ran it.  Doesn't redirect to the vpn server.  the 1723 gets through, but i don't know if it is because of this script or the "Port Forwarding" blade in the server manager.  

Can the blade be modified to allow protocols other than UDP and TCP?  Or, can I somehow add something to a template to allow this.

Another script i have tried (internet source) and it just fails is:-

# Allowing traffic into the NAT table - FireWall
iptables -A FORWARD -i ppp0 -o eth0 -p tcp --dport 1723 -a ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -p 47 -j ACCEPT

# Letting data out from the internal network
iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -m state --state ESTABLISHED,RELATED -j
ACCEPT

# Forward PPTP on both protocols to the Win2K box
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1723 -j DNAT --to
192.168.10.2
iptables -t nat -A PREROUTING -i ppp0 -p 47 -j DNAT --to 192.168.10.2

# Server to talk back throught the firewall
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# or

#IPTABLES -t nat -A POSTROUTING -o ppp0 -j SNAT --to ppp0


Then i get this error output on the screen....
iptables v1.2.5: Unknown arg -a'
Try iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: Unknown arg -j'
Try iptables -h' or 'iptables --help' for more information.
./totalpack: ACCEPT: command not found
iptables v1.2.5: Unknown arg --to'
Try iptables -h' or 'iptables --help' for more information.
./totalpack: 192.168.10.2: command not found

ifconfig for those interested....

eth0      Link encap:Ethernet  HWaddr 00:40:F6:2C:48:8D
          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
          EtherTalk Phase 2 addr:65280/45
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5468740 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7801460 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:948980285 (905.0 Mb)  TX bytes:157552784 (150.2 Mb)

eth1      Link encap:Ethernet  HWaddr 00:A0:CC:55:44:42
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6397425 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4897399 errors:0 dropped:0 overruns:0 carrier:0
          collisions:6076
          RX bytes:2052957038 (1957.8 Mb)  TX bytes:741983080 (707.6 Mb)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          EtherTalk Phase 2 addr:0/0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:88700 errors:0 dropped:0 overruns:0 frame:0
          TX packets:88700 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:8250361 (7.8 Mb)  TX bytes:8250361 (7.8 Mb)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:xxx.xxx.xxx.xxx  P-t-P:xxx.xxx.xxx.xxx  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:5749238 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4377569 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:1355427498 (1292.6 Mb)  TX bytes:555031506 (529.3 Mb)


And a tail /var/log/messages
Sep  9 20:40:09 proxy kernel: denylog:IN=ppp0 OUT=eth0 SRC=xxx.xxx.xxx.181 DST=192.168.10.2 LEN=57 TOS=0x00 PREC=0xE0 TTL=119 ID=56351 PROTO=47
Sep  9 20:40:11 proxy kernel: denylog:IN=ppp0 OUT=eth0 SRC=xxx.xxx.xxx.181 DST=192.168.10.2 LEN=57 TOS=0x00 PREC=0xE0 TTL=119 ID=56352 PROTO=47
Sep  9 20:40:14 proxy kernel: denylog:IN=ppp0 OUT=eth0 SRC=xxx.xxx.xx.181 DST=192.168.10.2 LEN=57 TOS=0x00 PREC=0xE0 TTL=119 ID=56353 PROTO=47


Please help.....i'm getting desperate,



Troy.

[KegRaider]

ITS WORKING.....for those interested, and in the same situation, this little script fixed it.

vpnserver="192.168.10.2"
RED_DEV="ppp0"
/sbin/iptables -N pptp
/sbin/iptables -A pptp -p tcp --destination-port 1723 --dst $vpnserver -j ACCEPT
/sbin/iptables -A pptp -p 47 --dst $vpnserver -j ACCEPT
/sbin/iptables -I FORWARD -j pptp
/sbin/iptables -t nat -N pptp
/sbin/iptables -t nat -A pptp -i $RED_DEV -p tcp --dport 1723 -j DNAT --to vpnserver:1723
/sbin/iptables -t nat -A pptp -i $RED_DEV -p 47 -j DNAT --to $vpnserver
/sbin/iptables -t nat -A PREROUTING -j pptp


Just make sure the longer lines are not split on to 2 lines.  I think that was my problem before.

Sorry to fill the forum with junk

Troy.

[bernhard]

If you would like to access "the rest of the network, forget about the Win2k server. The SME server is fully capable to function as a MS pptp VPN server without any modifications.

<----INTERNET---->
|
|
<--SME 6.01--> kernel 2.4.20-18.7 (VPN-server)
|
|
<--Rest of Network-->+<--Win2k Server-->

[KegRaider]

Thanks bernhard for your reply, and I have used the configuration you specified in the past.

Unfortunately our network has grown considerably. The real problem is, i have the rest of the network (as i stated), but this comprises of our corporate network, our wireless network (leased to customers) and an internet cafe.  All of these networks HAVE to stay separate and therefore secure.

The ISA box takes care of routing with 4 network cards, and any external VPN client (depending on user login) gets directed to the correct NIC and IP range.  

Unfortunately it will stay this way until I can get time to pop in a linux replacement (like Mandrake MNF).  I'm sure i read somewhere that SME won't support DMZ's or many network cards.

Thanks,

Troy.

[ldkeen]

Troy,
We had a similar problem trying to use RDC over vpn. Sometimes rdc would work on some setups and sometimes it wouldn't. Read the following link regarding Black Hole Routers and then apply the reg patch to the Windows box and try again. It fixed our problems.
http://support.microsoft.com/default.aspx?scid=kb;en-us;q314825

[mbachmann]

... use RDC over vpn ...

Notebook W2K
Internet
SME 6.01 (VPN Server) (Domain Linux)
NT 4.0 Terminalserver (Domain Oldstuff), W2K3 Terminalserver (Domain Database)

I've used RDC over ssh succesfully: you have to forward the Terminalserver's IPs/3389 RDC ports to your local machine, easily done with putty.

I can VPN connect the Notebook with the SME box. I cannot RDP connect with both Terminalservers.

What do i have to do? Forward both Terminalserver's IPs/RDC ports to the SME box?

[MSmith]

I've done this to NT and 2K servers by first establishing the VPN to the SME box, then doing ANOTHER VPN connection to the internal LAN IP of the Windows server.  You end up with a bunch of connection icons in the tray, but who cares, it works!

[mbachmann]

Thanks Agent Smith, i will try this out soon, but pheraphs ldkeen can raise his finger too?

[MSmith]

Once the VPN connection to the gateway SME box is established, everything's possible.  Print to network printers, VNC or Remote Desktop to servers or workstations, SSH ... anything.  Just fabulous.

[mbachmann]

Hrmpf, opening multiple connections once the first connection is established does not work for me. I cannot go any further.

I issued a "route print" on the box and it comes out that i only can see the home network and the SME i'm connecting to, nothing else, no remote network. But the connection is definitely being made.

Do i have to open/forward another port on the home router, like 1723?