Trying to sort out some Internet Sharing for My Parents PCs. I've got smoothwall running on an old 486 beautifully with a std dial-up ISP account. All standard web access works a treat.

Unfortunately my Dad has a MS VPN connection to Work. This works just fine from his PC with a normal internet connection (Same Dial-Up account/modem/isp etc as the smoothwall box) but fails miserably to connect via the Smoothwall.

I guess it must be the NAT on the smoothwall box that is killing it. I've done a tcpdump and the connection is hitting the smoothwall and being natted fine. The right module is loaded to nat (masquerade) the pptp connection and looks like it is being used. But the connection just never happens. From the tcpdump it looks like the VPN server never replies. (it pings just fine though). The smoothwall box is just a cut down linux kernel 2.2.something.

Has anybody got a standard MS VPN client to connect through a NAT router/firewall/linux box etc ? Does the PPTP checksum the packets so that NAT will kill it ?

Any tips on how to get it going ?

Client is Win98SE

Ta

Deano

Just a couple of daft questions while I wade through the smoothwall 'users' mail archive ...

Is TCP port 1723 open ? have you forwarded PROTOCOL 47 ( GRE ) as well ( see below )?

Put this line at the very bottom of the
/etc/rc.d/rc.network file and reboot:

/usr/local/bin/ipfwd --masq PPTP_SERVER_IP 47 &


SteveM

Steve

Also poking through the list archives (by mailing the list for 100 replies at a time zzzzzzz) ahve you found a web based archive ?

Digging through the setup files all outbound ports are open and protocol 47 is masqueraded. an lsmod gives masq_pptp as loaded.

I think the problem may be the other end. A telnet on pprt 1723 from the smoothwall box itself connects the basic TCP session Ok. There is no nat and the source port is in the low 1000 e.g. 1283

A telnet from a box behind the smoothwall is natted and fails even to connect at the TCP - level. tcpdump shows no return packets. The source port is masqueraded to the high 60000s e.g. 61024.

I suspect the F/W the other end may have a slight config odditiy which restricts the source ports connecting through to the to dest port 1723. god knows why or how.

I'll try and get nmap on an appropriate box and poke around the f/w with different source ports.

Dean

Have you set-up the NAT in the arp cache of the internal interface on the f/w (so that it answers arp requests for this address)? Sounds like the 1st packet gets through and the internal host tries to respond with an arp request...that isn't answered. Sniffer software will confirm.

Richard

The arps all work ok. Std Web browsing,ftp,ping all work fine from the clients inside the firewall. Its just no connection on port 1723 for pptp.

I guess I could set up a box with win2k server here and see if I can connect to that across the firewall....... Hmmm wheres those cds.

Er, does smoothwall directly support NATted VPN connections?

The problem is usually that while the packets get through, the whole NAT thing changes the IP address, which invalidates all the checksums on the packet.

Device at the other ends gets sent 'duff' packets and ignores them.

I can do everything fine on my router except VPN if I have it doing NAT as it doesn't support the ipsec tunnel.

is the NAT f*7cking things up, in that they have only allowed him to connect from a specific IP Address...

David

dsmith,

There's a full VPN guide about to go up on the smoothwall site.
Should have some NAT troubleshooting content.

Steve

Deano - let me know if you want some good IPSec/VPN guides.

rr

i was looking into this, and from what i could see theres currently no software based VPN that appears to cope with NAT due to specific ip addressing........

am hoping someones gonna shout out and tell me otherwise, but im struggling to find anything.

There is no doubt that PPTP client to Server VPN can work through NAT if the NAT server does it properly - there is a linux masquerade module to do it and other people have (allegedly) got it to work + I know for a fact that this connections natted by FW-1 on the way in to the server end. Cisco IOS can also nat PPTP connections.

In General many VPN solutions do fail due to NAT. (We have just gone through this for a new application.) One of the primary purposes of VPN is to prevent IP packets being tampered with. The primary role of NAT is to tamper with IP packets. Which is the fundamental conflict.

I believe IPSec has two modes one of which can be made to work though NAT if care is taken with Key transfers.

This articles has some interesting pointers..http://www.isp-planet.com/technology/nat_ipsec.html.

A lot of the VPN problems I've come across are related to cable modem providers - they general NAT their cable modem network onto the Internet & it depends how they do the udp traffic.

I've a list of OK provers somewhere, I'll try to dig it out if you're trying to do it via cable modem?

Richard