Difficulties establishing VPN tunnel with IPNAT

Roger Olofsson raggen at passagen.se
Sun Nov 25 09:46:01 PST 2007 


Jerahmy Pocott skrev:
> 
> On 26/11/2007, at 1:00 AM, Roger Olofsson wrote:
> 
>> Hello Jerahmy, (sorry for top-posting, btw).
>>
>> Gre is protocol 47. In your firewall rules you only allow/block 
>> protocols tcp/udp/icmp. If you want to use PPTP you will need to allow 
>> both the port and the protocol for it.
> 
> I put:
> 
> pass out quick on fxp1 proto gre from any to any keep state
> 
> This allowed the PPTP connection to establish, how ever trying to use apps
> over that connection resulted in:
> 
> fxp1 (block all rule) b x.x.x.x -> 10.0.0.3 PR gre len 20 (53) (frag 
> 57516:33 at 552) IN bad NAT
> 
> By placing to rule:
> 
> pass in quick on fxp1 proto gre from any to any
> 
> and allowing frags everything started working properly, but allowing all 
> gre traffic in doesn't seem
> like a good idea.. Is there any way to make this work without putting 
> static ip address rules or allowing
> all traffic?
> 
> 
>> In your original question you mentioned having problems with CVS. From 
>> the looks of it, you redirect CVS to 10.0.0.2, meaning that all users 
>> on that machine can use CVS.
> 
> The redirect rule is supposed to redirect connections to CVS on the 
> external interface to
> 10.0.0.2 on the internal lan, where the CVS server is actually running.
> 
> Cheers,
> J.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
> 
> 
Hello Jerahmy,

Some progress it seems? Why not set it to allow gre from VPN server 
only? Ie pass in quick on fxp1 proto gre from <vpn server ip> to any?

The way you ask your question, 'make it work without static ip or 
allowing all traffic', isn't that contradictory?

As for the frag part, I'd say that if gre needs frag, then you will have 
to enable it.

About the CVS, I seem to have misunderstood your question. I assumed 
10.0.0.2 wanted to recieve CVS inbound and not serve it outbound, or am 
I mistaking again?

/Roger

More information about the freebsd-questions mailing list