Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: Nick Orphan on July 31, 2001, 03:46:14 AM

Title: Outside vpn
Post by: Nick Orphan on July 31, 2001, 03:46:14 AM

I am currently using e-smith 4.1 as a dedicated server and gateway.  I was using winroute 4.1.  On winroute 4.1 I needed to enable protocol 50 for a workstation to connect to another vpn server.  So after installing e-smith this workstation is unable to connect to the other vpn.  What do I need to do to get this enabled on e-smith?

Title: Re: Outside vpn
Post by: trevorb on July 31, 2001, 04:01:12 PM

I couldn't connect to the VPN at work from behind the gateway at home. Tried the fix in this posting http://forums.contribs.org/index.php?topic=1855.msg6169#msg6169 and it worked for me.

My 45AllowIPSECMasq in templates-custom looks like this.
{
    local %services = ( masq => $masq );

    my $me = "ipsec";

    my $status = db_get_prop(\%services, 'masq', 'status') || "disabled";
    my $loadme = db_get_prop(\%services, 'masq', $me) || "yes";

    if ( ($status eq "enabled") and ($loadme eq "yes") )
    {
        $OUT = <<'HERE';
    # Accept incoming ESP packets
    # Don't bother about AH packets here, as you can't masq them
    /sbin/ipchains --append input -p 50 -s 0/0 -d $OUTERNET -j ACCEPT
    /sbin/ipchains --append input -p udp -s 0/0 500 -d $OUTERNET -j ACCEPT
HERE
    }
}

Trevor B

Title: Re: Outside vpn
Post by: Nick Orphan on August 01, 2001, 03:40:08 AM

I tried your 45AllowIPSECMasq file as is and continued with the next 2 steps (expanding the templates and updating the remoteaccess-update)  and tried it and it did not work.  I then added the statement (ipchains -I input -j ACCEPT -p udp -s 0/0 500) that was in the the reference and continued with the next 2 instructions (expanding the templates and upating the remoteaccess-update).  I was sure if I was to use your 45AllowIPSECMasq file as is or add the statement "ipchains -I input -j ACCEPT -p udp -s 0/0 500".  So I tried it both ways and it still did not work.  So this is what my file now looks like.

{
 local %services = ( masq => $masq );

    my $me = "ipsec";

    my $status = db_get_prop(\%services, 'masq', 'status') || "disabled";
    my $loadme = db_get_prop(\%services, 'masq', $me) || "yes";

    if ( ($status eq "enabled") and ($loadme eq "yes") )
    {
        $OUT = <<'HERE';
    # Accept incoming ESP packets
    # Don't bother about AH packets here, as you can't masq them
    /sbin/ipchains --append input -p 50 -s 0/0 -d $OUTERNET -j ACCEPT
    /sbin/ipchains --append input -p udp -s 0/0 500 -d $OUTERNET -j ACCEPT
    /sbin/ipchains -I input -j ACCEPT -p udp -s 0/0 500
HERE
    }
}

Title: Re: Outside vpn
Post by: trevor on August 01, 2001, 06:44:29 AM

Nick,

did you store your new 45AllowIPSecMasq template in the /etc/e-smith/templates-custom/etc/rc.d/init.d/ directory? (please note the case in the file name - my previous e-mail had a deliberate mistake:-)).

expand-templates will look in the templates-custom directories to look for your changes.

I am using 4.1.2 and am unsure of the differences in this area from 4.1 (they may have fixed some of the other areas eg. 45AllowIPSEC.

Good Luck
Trevor B