TokeMUp
asked on
VPN client getting through Mandrake SNF
Hi,
I’m running a Linux Mandrake Firewall (SNF).
Could someone help me out getting a VPN client through that firewall?
The installation is standard, only thing I configured on the firewall is the Web proxy, the log generators and giving machines access.
I know the Firewall uses NAT. And that’s why the VPN clients don’t get through.
But I know that you could do it by updating the IPchains to version the latest version.
All other internet protocols are no problem, they are using the proxy.
Let me know if you need more info.
You help is much appreciated
cheerio
I’m running a Linux Mandrake Firewall (SNF).
Could someone help me out getting a VPN client through that firewall?
The installation is standard, only thing I configured on the firewall is the Web proxy, the log generators and giving machines access.
I know the Firewall uses NAT. And that’s why the VPN clients don’t get through.
But I know that you could do it by updating the IPchains to version the latest version.
All other internet protocols are no problem, they are using the proxy.
Let me know if you need more info.
You help is much appreciated
cheerio
ASKER
ahoffmann,
- VPN is used on a client PC (Windows 2000)
- It's using NAT, as far as I know.
- VPN client is Contivity from Nortel.
- It's using IPsec
- Ports: 500 550 I think
Also I've read that I need to upgrade IPchains to version 1.3.10.
Also thats not working out. They made it very user frindly NO RPM. Jest a bunch of files.
Thanks for your help
- VPN is used on a client PC (Windows 2000)
- It's using NAT, as far as I know.
- VPN client is Contivity from Nortel.
- It's using IPsec
- Ports: 500 550 I think
Also I've read that I need to upgrade IPchains to version 1.3.10.
Also thats not working out. They made it very user frindly NO RPM. Jest a bunch of files.
Thanks for your help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
what version of SNF are you using? I am using 7.2, and i can make outgoing VPN connections using checkpoint's SecureClient vpn.
SNF uses bastille linux to create its firewall scripts. much of this can be tweaked in /etc/bastille-firewall.con
UDP_PUBLIC_SERVICES=
to allow connections out/in. i think the best way to troubleshoot it is to make sure you are logging all dropped packets, and just tail -f /var/log/messages, and try the vpn. see which packets are blocked, then allow them and repeat until it all works.
also, i have a network SNF didnt expect, ie, i have my own internal dns server, so i couldnt tweak the bastille rules to do everything i wanted. i ended up using ipchains-save to save my current rules to a file, edit them by hand, and use these lines in my rc.local to start the fw
echo "rc.local: activating custom firewall rules in /root/current_ipchains_rul
if [ -f /root/current_ipchains_rul
/sbin/ipchains-restore < /root/current_ipchains_rul
echo "rc.local: ipchains restore done."
fi
SNF uses bastille linux to create its firewall scripts. much of this can be tweaked in /etc/bastille-firewall.con
UDP_PUBLIC_SERVICES=
to allow connections out/in. i think the best way to troubleshoot it is to make sure you are logging all dropped packets, and just tail -f /var/log/messages, and try the vpn. see which packets are blocked, then allow them and repeat until it all works.
also, i have a network SNF didnt expect, ie, i have my own internal dns server, so i couldnt tweak the bastille rules to do everything i wanted. i ended up using ipchains-save to save my current rules to a file, edit them by hand, and use these lines in my rc.local to start the fw
echo "rc.local: activating custom firewall rules in /root/current_ipchains_rul
if [ -f /root/current_ipchains_rul
/sbin/ipchains-restore < /root/current_ipchains_rul
echo "rc.local: ipchains restore done."
fi
TokeMUp:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
- is it on firewall host itself
- if not, is it a NATted IP
- which VPN client is it
- does it use IPsec
- which other ports (than 50) are necessary