You need to forward IP protocol type 47 to your internal VPN server as well (GRE)
>From: Miky J <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: I can't vpn ! >Date: Mon, 27 May 2002 18:25:36 +0200 (CEST) > > > First thanx to everyone that helped me with the traceroute, i now >understand much more how it works. >Now i try to use vpn > > >Internet >windows2k ><----------->mylinuxfirewall<------------------------------------------------->remote >windows station(nt4) > >To access the remote windows station i use these rules ># Allow vpn out >iptables -A FORWARD -p tcp -s $local --sport 1024:65535 -d $internet >--dport 1723 -m state --state NEW,ESTABLISHED -j ACCEPT >iptables -A FORWARD -p tcp -s $internet --sport 1723 -d $local --dport >1024:65535 -m state --state ESTABLISHED -j ACCEPT >iptables -A FORWARD -s $local -d $internet -m state --state >ESTABLISHED,RELATED -j ACCEPT >iptables -A FORWARD -s $internet -d $local -m state --state ESTABLISHED -j >ACCEPT >iptables -t nat -A POSTROUTING -s $local -o eth0 -j SNAT --to $extfw > >and it seems that it works > >From the remote station(nt4) i try to vpn my windows2k, i use these rules ># Allow VPN - in >iptables -A FORWARD -p tcp -s $internet --sport 1024:65535 -d $local >--dport 1723 -m state --state NEW,ESTABLISHED -j ACCEPT >iptables -A FORWARD -p tcp -s $local --sport 1723 -d $internet --dport >1024:65535 -m state --state ESTABLISHED -j ACCEPT >iptables -A FORWARD -s $internet -d $local -m state --state >RELATED,ESTABLISHED -j ACCEPT >iptables -A FORWARD -s $local -d $internet -m state --state ESTABLISHED -j >ACCEPT > >iptables -t nat -A PREROUTING -s $internet -i eth0 -j DNAT --to $vpncomp > >but it definately doesn't work, i tried with tcpdump and iptraf to see if >there was any incoming packets, but there isn't comming on eth0(external >iface). I think nat is working because i can telnet port 25 of the >windows2k machine. >I tried ACCEPT as a default policy but doesn't work either, so i should >conclude that it's a routing problem but since incoming smtp seems to be >ok, i don't know what's wrong. >Any ideas ? > > > > >--------------------------------- >Yahoo! Mail -- Une adresse @yahoo.fr gratuite et en fran�ais ! _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
