Thank You for Your time and answer, Joe: > You also need the same forwarding for the GRE tunnel (IP protocol 47) > (the conntrack modules just record links between protocols, they > don't add forwarding by themselves): > -A FORWARD -p 47 -s 192.168.0.0/24 -d VPN_SERVER_IP -j ACCEPT
Ok, I have loaded the rule. > Good question. I suspect if you install iptables, Debian will add the > common conntrack modules by itself, and some may now be built into > the core netfilter code. I'm fairly sure I don't have any explicit > configuration, but lsmod shows nf_conntrack and a number of other nf_ > and iptables related modules installed. Add the GRE forwarding first, > and see if that works. This what I have loaded currently (nf_*) w/ the rules I have finaly (Yours and mine): nf_nat nf_conntrack_ipv4 nf_conntrack As follows there is no any pptp or gre -related modules. > Have you checked whether the VPN works without a firewall in between? Well. From a local host not yet. Fro mthe firewall - I did try w/ telnet to connect on the port - it does. Farther - I do not know whic hcommands to use for testing though I do not think it is necessary, I guess most important thing is to dump the connection between the server and client in order to see which additional ports may be necessary to forward. I have written here w/ a hope that there is some successful experience with this MS invention (pptp) in linux. So I thought may Yo have the knowledge: which ports to forward, whic hmodules available in Debian for the work to load. Still if there is no such a knowledge, any help will be appreciated. Thanks again, Joe, for Your extended answer on my question and the MS VPN itself. I do appreciate it much. > If you aren't familiar with the MS PPTP VPN, the first contact is > made using TCP/1723, over which the GRE encryption negotiation > occurs. The first data sent through the tunnel is the user > authentication handshake, so if the user is seeing a claim that the > VPN is connected but then there is a timeout after a failure to > authenticate, this is a sign that TCP/1723 is OK, but GRE is not. Do they have in M$ windows any logging - speaking about standard VPN client so that it will be seen the fact of connection and then authentication process? - So that a person who seats at such a machine can answer what they see there. > By the way, if you connect VPNs between different sites, watch the IP > network address, which must be different for all client-server pairs. > The 192.168.0., 192.168.1. and 192.168.16. networks are in very > common use, and you might want to avoid them. Could Yuo please explain this paragraph a bit more? - I did not understand which sites You mean and farther - on pairs. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ca0a79e.4411df0a.4c69.7...@mx.google.com
