gopigops
asked on
l2tp vpm
we are not connect l2tp vpn pls help me
config details: This is a config of port forwarding.
-A PREROUTING -d 12.12.12.2 -i eth0 -p udp -m udp --dport 1701 -j DNAT --to-destination 192.168.200.1
-A FORWARD -p esp -j ACCEPT
-A FORWARD -p ah -j ACCEPT
-A FORWARD -p udp -m udp --dport 1701 -j ACCEPT
-A FORWARD -p udp -m udp --dport 500 -j ACCEPT
-A FORWARD -p udp -m udp --dport 4500 -j ACCEPT
config details: This is a config of port forwarding.
-A PREROUTING -d 12.12.12.2 -i eth0 -p udp -m udp --dport 1701 -j DNAT --to-destination 192.168.200.1
-A FORWARD -p esp -j ACCEPT
-A FORWARD -p ah -j ACCEPT
-A FORWARD -p udp -m udp --dport 1701 -j ACCEPT
-A FORWARD -p udp -m udp --dport 500 -j ACCEPT
-A FORWARD -p udp -m udp --dport 4500 -j ACCEPT
You should describe your setup in more details. The config of iptables you are troubleshooting -- is it on the vpn client host, or an intermediate router?
ASKER
we have one server for windows 2003 act as a vpn server
we have one server for redhat act as a firewall
we are unable to connect vpn using l2tp, but pptp vpn works fine
this is a config
-A PREROUTING -d 12.12.12.2 -i eth0 -p udp -m udp --dport 1701 -j DNAT --to-destination 192.168.200.1
-A FORWARD -p esp -j ACCEPT
-A FORWARD -p ah -j ACCEPT
-A FORWARD -p udp -m udp --dport 1701 -j ACCEPT
-A FORWARD -p udp -m udp --dport 500 -j ACCEPT
-A FORWARD -p udp -m udp --dport 4500 -j ACCEPT
we have one server for redhat act as a firewall
we are unable to connect vpn using l2tp, but pptp vpn works fine
this is a config
-A PREROUTING -d 12.12.12.2 -i eth0 -p udp -m udp --dport 1701 -j DNAT --to-destination 192.168.200.1
-A FORWARD -p esp -j ACCEPT
-A FORWARD -p ah -j ACCEPT
-A FORWARD -p udp -m udp --dport 1701 -j ACCEPT
-A FORWARD -p udp -m udp --dport 500 -j ACCEPT
-A FORWARD -p udp -m udp --dport 4500 -j ACCEPT
I would suggest you to sniff the traffic on both interfaces of the firewall and see what packets get blocked when you try to establish the VPN. Check if IKE (UDP 500 or 4500) and IPSEC (ESP).
By the way, UDP 1701 packets travel encapsulated in IPSEC and are invisible to IPTABLES, the corresponding statements in your policy have no effect on L2TP. If you need DNAT, can try to apply it to IKE/ESP traffic.
By the way, UDP 1701 packets travel encapsulated in IPSEC and are invisible to IPTABLES, the corresponding statements in your policy have no effect on L2TP. If you need DNAT, can try to apply it to IKE/ESP traffic.
ASKER
we are unable to connect till now,pls tell me the above config correct or not.If not pls give me a correct config .
And then we have checked the traffic the show ony the isakmp and UDP
Please provide more details about your setup.
What OS do you use as a client? Does the L2TP client software support NAT-T (nat traversal)?
What is IP address of your client?
What IP address your client tries to connect to?
What is the IP address of the interface of your router facing L2TP client?
What is the purpose of DNAT statement, what address translation you are trying to achieve?
What is the IP address of the interface of your router facing L2TP server?
What is the IP address of the L2TP server?
What OS do you use as a client? Does the L2TP client software support NAT-T (nat traversal)?
What is IP address of your client?
What IP address your client tries to connect to?
What is the IP address of the interface of your router facing L2TP client?
What is the purpose of DNAT statement, what address translation you are trying to achieve?
What is the IP address of the interface of your router facing L2TP server?
What is the IP address of the L2TP server?
ASKER
ok i give
1.windows vista
2.public ip (internet work no issues)
3.public ip 12.12.12.2 (example)
4.12.12.12.2
5.
6.12.12.12.2
7.192.168.200.1 (windows 2003 server)
1.windows vista
2.public ip (internet work no issues)
3.public ip 12.12.12.2 (example)
4.12.12.12.2
5.
6.12.12.12.2
7.192.168.200.1 (windows 2003 server)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
we understand the IPSEC servers behind NAT.thanks..
ASKER
thanks..