Solved

VPN client getting through Mandrake SNF

Posted on 2002-06-11
5
332 Views
Last Modified: 2013-12-06
Hi,

I’m running a Linux Mandrake Firewall (SNF).
Could someone help me out getting a VPN client through that firewall?
The installation is standard, only thing I configured on the firewall is the Web proxy, the log generators and giving machines access.

I know the Firewall uses NAT. And that’s why the VPN clients don’t get through.
But I know that you could do it by updating the IPchains to version the latest version.
All other internet protocols are no problem, they are using the proxy.

Let me know if you need more info.

You help is much appreciated
cheerio
0
Comment
Question by:TokeMUp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7075101
Could you please provide more detailed information about your VPN client:
  - is it on firewall host itself
  - if not, is it a NATted IP
  - which VPN client is it
  - does it use IPsec
  - which other ports (than 50) are necessary
0
 

Author Comment

by:TokeMUp
ID: 7078041
ahoffmann,

- VPN is used on a client PC (Windows 2000)
- It's using NAT, as far as I know.
- VPN client is Contivity from Nortel.
- It's using IPsec
- Ports: 500 550 I think

Also I've read that I need to upgrade IPchains to version 1.3.10.

Also thats not working out. They made it very user frindly NO RPM. Jest a bunch of files.

Thanks for your help
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 7078535
try if you can switch to iptables (instead of ipchains).

Anyway the rules should look like:

ipchains -A forward -p 50  -d client-ip -j ACCEPT
ipchains -A forward -p 51  -d client-ip -j ACCEPT
ipchains -A forward -p udp -d client-ip --dport 500 -j ACCEPT

rest should be done by your NAT rule.
If something fails, use tcpdump to see which packets want to cross your firewall.
0
 
LVL 1

Expert Comment

by:m4rc
ID: 7150450
what version of SNF are you using?  I am using 7.2, and i can make outgoing VPN connections using checkpoint's SecureClient vpn.

SNF uses bastille linux to create its firewall scripts.  much of this can be tweaked in /etc/bastille-firewall.conf .  the config file is well documented with comments.  you'll prolly need to play w/ the lines like
UDP_PUBLIC_SERVICES=

to allow connections out/in.  i think the best way to troubleshoot it is to make sure you are logging all dropped packets, and just tail -f /var/log/messages, and try the vpn.  see which packets are blocked, then allow them and repeat until it all works.

also, i have a network SNF didnt expect, ie, i have my own internal dns server, so i couldnt tweak the bastille rules to do everything i wanted.  i ended up using ipchains-save to save my current rules to a file, edit them by hand, and use these lines in my rc.local to start the fw

echo "rc.local: activating custom firewall rules in /root/current_ipchains_rules"
if [ -f /root/current_ipchains_rules ];then
        /sbin/ipchains-restore < /root/current_ipchains_rules
        echo "rc.local: ipchains restore done."
fi

0
 

Expert Comment

by:CleanupPing
ID: 9089010
TokeMUp:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
LogmeIn using Linux Ubuntu 16.04 6 175
trouble on installing syslog-ng on CentOS 7 7 150
Internal CA server 6 133
edit firefox cookie settings via shell script on ubuntu 14? 1 69
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question