Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Sébastien Dacquin on March 28, 2001, 07:53:25 PM
-
How to install the ip_masq_vpn-0.1.1-1.i386.rpm (the command rpm -ivh --force seems to have no effect).
What are exactly the templates modifications to configure and load the module.
-
Try use -Uhv ?? (upgrade existing packages, your info isn't enough)
-
I also found that I can not VPN from a PPTP machine behind the e-smith server toa machine on the Internet. Where can I find this RPM that is mentioned (ip_masq_vpn-0.1.1-1.i386.rpm)? Will this RPM package allow me to install the support I need without a need to rebuild the kernel? Everything that I have read seems to indicate that I need to rebuild the kernel with particular options enabled.
Thanks for any feedback...
-
Hello James,
You can find this package at this URL :
ftp://ftp.e-smith.org/pub/e-smith/contrib/CharlieBrady/RPMS/i386-RH7.0/
But Charlie said to install it with the option "--force".
Gordon told me that we must modifiy the templates in section masq to start the module and he advised me to send a message to this forum.
If you successfuly install this module, let me know how, thanks !
-
Sébastien Dacquin wrote:
> [...]
> But Charlie said to install it with the option "--force".
> Gordon told me that we must modifiy the templates in section
> masq to start the module and he advised me to send a message
> to this forum.
> [...]
This should do it.
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
echo "/sbin/modprobe ip_masq_pptp" > 10masq_pptp
echo "/sbin/modprobe ip_masq_pptp" > 10masq_ipsec
/sbin/e-smith/signal-event remoteaccess-update
/sbin/e-smith/signal-event reboot
Gordon
-
Gordon Rowell wrote:
> [...]
> echo "/sbin/modprobe ip_masq_pptp" > 10masq_ipsec
> [...]
Sigh. Let's try that bit again :-(
echo "/sbin/modprobe ip_masq_ipsec" > 10masq_ipsec
Gordon
-
I have performed all of the operations described in this thread and it is still not working (PPTP or IPSEC) - do I need to do some port forwarding as well??
Reid
-
I will have to give up for now as I got it IPSec Masquerading to work using Coyote and Seawall... e-smith wil still serve my lan but I'll have to wait till 4.0 to make it my gateway machine.
Reid
-
Reid Carlisle wrote:
>
> I will have to give up for now as I got it IPSec Masquerading
> to work using Coyote and Seawall... e-smith wil still serve
> my lan but I'll have to wait till 4.0 to make it my gateway
> machine.
I take it you mean "post 4.1.1"
We would naturally prefer if you helped us to find out why the instructions didn't work for you so we can ensure that we get it right for later releases.
Please show the output of the following commands:
/sbin/lsmod
grep ip_masq /etc/rc.d/init.d/masq
Thanks,
Gordon
-
You are correct - I meant 5.0, but post 4.1.1 is more specific.
Reid
-
I will continue to poke around with it... but I just relocated and had to get connected asap as I had already lost so much time due to the move.
I think I was very close! I was able to get the ip_masq_ipsec module loaded, the traffic just was not getting forwarded! The same module worked fine on coyote. Could the kernel version be the problem?
Reid
-
Gordon,
I do have the output you have requested I think.
[root@gravity /root]# /sbin/lsmod
Module Size Used by
appletalk-fixed 20960 12 (autoclean)
ip_masq_vdolive 1376 0 (unused)
ip_masq_raudio 3008 0 (unused)
ip_masq_quake 1392 0 (unused)
ip_masq_pptp 4560 3
ip_masq_irc 1632 0 (unused)
ip_masq_ipsec 7728 0 (unused)
ip_masq_icq 10144 0 (unused)
ip_masq_h323 3600 0 (unused)
ip_masq_ftp 4256 0 (unused)
ip_masq_cuseeme 1120 0 (unused)
eepro100 16224 2 (autoclean)
usb-uhci 19056 0 (unused)
usbcore 42096 1 [usb-uhci]
aic7xxx 137440 3
[root@gravity /root]#
[root@gravity /root]# grep ip_masq /etc/rc.d/init.d/mas
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_h323
/sbin/modprobe ip_masq_icq
/sbin/modprobe ip_masq_ipsec
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_pptp
/sbin/modprobe ip_masq_quake
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_vdolive
[root@gravity /root]#
I did the following:
1. Downloaded the file ftp://ftp.e-smith.org/pub/e-smith/contrib/CharlieBrady/RPMS/i386-RH7.0/ip_masq_vpn-0.1.1-1.i386.rpm
2. Copied it to a location on the e-smith server
3. ran the command 'rpm -Uhv ip_masq_vpn-0.1.1-1.i386.rpm --force'
4. It appeared to work fine. No error.
5. ran the command 'mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq'
6. ran the command 'cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq'
7. ran the command 'echo "/sbin/modprobe ip_masq_pptp" > 10masq_pptp'
8. ran the command 'echo "/sbin/modprobe ip_masq_ipsec" > 10masq_ipsec'
9. ran the command '/sbin/e-smith/signal-event remoteaccess-update'
10. ran the command '/sbin/e-smith/signal-event reboot'
After the machine rebooted I once again tried to VPN from my machine on the internal lan to a machine on the internet via the e-smith server. What I get is that It connects to the server, but it gets stuck trying to do the password authentication. It just sits at the "verifying username and password..".
I would love to replace my Linksys router with the e-smith product! Any other suggestions to get this working?
-
I'm thinking about moving to E-Smith, and need to be sure that it will run an IPSEC client before I migrate.
The solution I currently use needs to have port 50 forwarded to the IPSEC client machine (runs Nortel Extranet Client). This works fine.
I might guess that you will need to add the port forwarding RPM as well.
I'm a complete Linux newbie, so if this works can you add it to the bottom of the instruction list in order I can use it when I finally make the jump to E-Smith.
-
Reid Carlisle wrote:
>
> I will continue to poke around with it... but I just
> relocated and had to get connected asap as I had already lost
> so much time due to the move.
>
> I think I was very close! I was able to get the
> ip_masq_ipsec module loaded, the traffic just was not getting
> forwarded! The same module worked fine on coyote. Could the
> kernel version be the problem?
I don't believe so.
However, you will need to accept AH packets through the
packet filter with this addition:
/sbin/ipchains --append input -p 50 -s 0/0 -d $OUTERNET -j ACCEPT
Gordon
-
I have tried to follow this thread to accomplish VPN connectivity.
Everthing was working , unitil I tried to implement the last command.
This is what I got.
# /sbin/ipchains --append input -p 50 -s 0/0 -d $OUTERNET -j ACCEPT
/sbin/ipchains: host/network -j' not found
Try /sbin/ipchains -h' or '/sbin/ipchains --help' for more information.
Is there something I am missing on this command?
-
Sorry, that line needs to be add to /etc/rc.d/init.d/masq via a custom template. If you run it from the command-line, $OUTERNET is (probably) undefined, so you will see that error.
Add the line to the 10masq_ipsec file mentioned above.
And I made a typo before - this is for ESP packets, not AH packets.
Gordon
-
Hi,
I've been following this discussion with interest as I am trying to get e-smith to masquerade VPN IPsec traffic as well. According to instructions I've found in a couple of places I need ipfwd in order to forward the protocol 50 packets to my client machine. Unfortunately I cannot find an ipfwd rpm built for e-smith/RH7 does anyone know where I can get my hands on it? There is a source rpm available at http://www.cag.lcs.mit.edu/~cananian/Projects/IPfwd/release/ but of course e-smith doesn't have a compiler or anything installed.
For others trying to get VPN masquerading to work there's good information at http://www.phoneboy.com/faq/0372.html (specific to SecuRemote and Firewall-1). As well as the generic VPN Masquerading how-to at ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html.
-
Gordon Rowell wrote:
> Sorry, that line needs to be add to /etc/rc.d/init.d/masq via
> a custom template. If you run it from the command-line,
> $OUTERNET is (probably) undefined, so you will see that error.
>
> Add the line to the 10masq_ipsec file mentioned above.
[snip]
You will actually have to add the line to a separate fragment ie 40AllowIPSec since the $OUTERNET variable is not yet defined in the standard fragments by the time the template generator hits the 10masq_ipsec file.
-
Maybe it would help to know where the $OUTERNET variable is set and what it is supposed to contain. I went looking for OUTERNET to no avail. I am on a dial up connection. The name seems to imply it contains the address for the internet connection.
Also is there any better way to test this connection besides attempting to use the SecuRemote client?
-
Just to follow-up:
As far as we know, PPTP and IPSEC masquerading should both work under 4.1.2 - we know that PPTP does. If IPSEC does not, please provide full details in a bug report to bugs@e-smith.com
Thanks,
Gordon