How To Run Windows Vpn Thru Freesco 0.3.8.

Support section for FREESCO v0.3.x

Postby matcarls » Thu Aug 14, 2008 11:37 am

Hi

I have been using Freesco since 0.2.7 and it always runs perfectly well. Only exception when I had some bad hardware that hang when it felt like it.
Recently I upgraded from 0.3.7 to 0.3.8. The 037 had a uptime of almost 500 days !
I have over the years tried the following setup, but so far no luck. Now I really need this.

Windows xp client sitting somewhere => Internet => Freesco => Windows 2003 vpn server

The serves says something about the firewall is not configured to allow GRE packets (protocol 47).
I thought it would run like a charm now when I have upgraded to 038. I have searched all over the forum, but no luck. One problem is that I can not search for the word vpn as it is too short. I tried to download ipfwd and run for protocol 47. But it does not seem to help. I know the windows server is setup ok. It works from eth2 to eth1. Those have trusted networks. But from eth0 to eth1 it wont work. I can also connect from behind freesco to any vpn, pptp, ipsec or what ever. I have changed kernel to kernel-038.cd-586-triton-vipc-power_off.

The nets in Freesco looks like this:

Eth0 = Internet public ip
Eth1 = Inside net with win2003 server
Eth2 = Another net with other stuff. Just for routing between eth1 and eth2. No internet access used through here.

As you might guess from the attached report.txt the adress of the vpn server is 192.168.129.5 and our public ip is 213.142.18.115.

Please bring me some light in this subject. I think I'm going nuts !

Cheers
/ Mattias
______________________<br><b>Mattias Carlsson</b><br><a href='mailto:mattias.carlsson@fls.se'>mattias.carlsson@fls.se</a>
User avatar
matcarls
Newbie
 
Posts: 8
Joined: Mon Feb 03, 2003 6:24 am
Location: Sweden

Postby Lightning » Thu Aug 14, 2008 6:50 pm

I tried to download ipfwd and run for protocol 47.
ipfwd is included in 038 by default, so downloading/installing it is not necessary.
I also do not see an attached report.txt, but in this case I am not sure that would really help or not. I recommend initializing and running ipfwd in masquerade mode for protocol 47 to the internal IP address of that machine. You also need to forward TCP port 1723 to that machine. ALL of the 038 kernels already include IPSEC support so any 038 kernel should support what you need. I would also recommend setting the firewall in "s" symmetric mode to try and resolve any other issues.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 3052
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Postby matcarls » Wed Aug 27, 2008 2:29 am

Hi there again.

This VPN project has been down for a while. I had to wait for the windowsguy to make sure the vpn-server is ok. We changed from the Freesco router to a Linksys just to test and then it all worked. So there must be somthing with the Freesco. It doesn't help running ipfwd -m 192.168.129.5 47. It says something in the log about no entry in masq table. I don't know what happened to the reprts.txt last time. This time it should work.
Hopefully you have some trick up your sleeve.

Thanks for any help.
/ Mattias
______________________<br><b>Mattias Carlsson</b><br><a href='mailto:mattias.carlsson@fls.se'>mattias.carlsson@fls.se</a>
User avatar
matcarls
Newbie
 
Posts: 8
Joined: Mon Feb 03, 2003 6:24 am
Location: Sweden

Postby phillipsjk256 » Thu Aug 28, 2008 3:59 pm

I don't know if it is supported by the code, but you may need something like this:
Code: Select all
#----- cat /etc/portfw.cfg | sed s/\#.*//g -----
 
tcp,1433,1433,192.168.129.5  
tcp,25,25,192.168.129.3      
tcp,80,80,192.168.129.3      
tcp,21,-22,192.168.129.3    
tcp,1723,1723,192.168.129.5  
#GRE protocol; all ports
47,0,-65535,192.168.129.5


According to: <a href='http://www.freesco.org/support-forum/index.php?showtopic=7827' target='_blank'>ipfwadm Mini Howto</a>

Your choices of protocol are:
Code: Select all
The Protocol identifier (-P)

-P                    The actual protocol used in the rule (if any)

                                            

The Protocol (tcp)

tcp                  The rule is used for TCP protocol

udp                  The rule is used for UDP protocol

icmp                The rule is used for ICMP protocol

all                    The rule is used for ALL protocols


Those may be user-friendly aliases, I don't know.

Regards,

James Phillips

PS: If I did not Google "Protocol 47", I would have looked like a total idiot.
User avatar
phillipsjk256
Junior Member
 
Posts: 40
Joined: Tue Mar 01, 2005 3:55 am

Postby matcarls » Tue Sep 02, 2008 2:03 am

Hi and thanks a lot for your hints.
I have been really busy with other things the latest time. I have not been able to test anything with the latest post. I will be traveling for a few weeks now. I continue with this in the beginning of October. Meanwhile there is an hardware router doing the job. I will go back to Freesco as soon as possible.

If there is anyone out there having a windows server, a Freesco and a vpn connection from outside. I would really like som comments from hom you made it work. I can't be that unique, can I ?

Thanks for the input so far, and everybody keep up your good work.

/ Mattias C
______________________<br><b>Mattias Carlsson</b><br><a href='mailto:mattias.carlsson@fls.se'>mattias.carlsson@fls.se</a>
User avatar
matcarls
Newbie
 
Posts: 8
Joined: Mon Feb 03, 2003 6:24 am
Location: Sweden

Postby ken-neptune » Wed Nov 05, 2008 5:00 pm

No, you aren't unique.

I can't get it working either, same scenario, trying to access my VPN server from outside my network, I can't establish a pptp connection, but, I can establish a l2tp connection, however, I don't want to always have to faff around with machine certificates, etc., just to grab a file off my server.

Similar network, but using Freesco 0.3.8, and windoze 2000 advanced server, I get the same errors about missing masq table entries.

Freesco is about as patched as it can be, I think everything is port forwarded properly, "ipfwd -m 10.10.10.1 47 &" has been entered from a putty console and freesco indicates it's active, firewall is in 's' mode.

Above and beyond providing my own dns via windoze 2000, my routers name , domain name, and the running of samba, everything (I think) is about as default as it was when downloaded.

BTW, yes, I know my Freesco DNS is not in stealth mode; for whatever reason, if I stealth it or turn it off, my win2K DNS won't function properly for root server lookups due to the now blocked port.
I've yet to attempt twiddling with firewall rules to allow my DNS to work, with freesco's turned off. So, it's just easier this way for now.

I'm at a total loss as to what else I need to do, to achieve this apparently simple task, and cannot seem to find any one complete set of understandable directions, that actually achieve anything.

If I swap the Freesco box for a soho router, pptp works as advertised, but, I don't want to use a rubbish little shop bought router!

I really don't want to give up on Freesco just because this one thing doesn't turn out to be as easy as it seems it should be.

Report (hopefully attached) generated from a putty console, so I don't know if it's as complete as it should be.

TTFN, Ken Phillips
User avatar
ken-neptune
Newbie
 
Posts: 7
Joined: Sat Oct 04, 2008 11:00 am
Location: Blackburn, UK

Postby dingetje » Wed Nov 05, 2008 6:24 pm

Is installing PopTop on FREESCO an option? That would turn FREESCO into a VPN server and eliminate the need for port forwarding.
GreetZ
http://dingetje.homeip.net

"Software is like sex: it's better when it's free." - LINUS TORVALDS
User avatar
dingetje
FREESCO GURU !!
 
Posts: 1004
Joined: Wed Nov 14, 2001 12:13 pm
Location: The Netherlands

Postby ken-neptune » Wed Nov 05, 2008 7:02 pm

Dingetje

Hi there,

You are right, it would elimate the currrent headaches with port and protocol forwarding, but, possibly (probably even) create an even bigger one, with then having to tightly integrate Freesco into my already nicely working active directory domain.

I'm semi there already I suppose, using my domain controller as a catch all DNS server, Freesco could get workstation names, IP's, etc, that way. However, I'm unclear how Poptop could function to replace my existing and functioning VPN server, without Freesco actually being my main DHCP, DNS, whatever; and I've never been able to get samba working anything better than the 'just about working to access most shares unreliably' stage, beyond that it either breaks something on my windoze, or just doesn't work at all :wacko: .

It seems that so many people are having this issue with GRE 47 packets, and that a working solution ought to be findable, Poptop does look intriguing though, and is definately going to be investigated at some point.

Best wishes, Ken
User avatar
ken-neptune
Newbie
 
Posts: 7
Joined: Sat Oct 04, 2008 11:00 am
Location: Blackburn, UK

Postby matcarls » Thu Nov 06, 2008 3:12 am

Hi there

I thought I wouldn't be alone on this. I still haven't got it working though. I ended up using a Linksys box with a linux firmware. That is not at all what I want. The Freesco box stands there waiting to be hooked up again. But I just cant get this vpn through it. So until someone finds a solution to it I guess I have to use the Linksys.

Cheers
Mattias
______________________<br><b>Mattias Carlsson</b><br><a href='mailto:mattias.carlsson@fls.se'>mattias.carlsson@fls.se</a>
User avatar
matcarls
Newbie
 
Posts: 8
Joined: Mon Feb 03, 2003 6:24 am
Location: Sweden

Postby dingetje » Fri Nov 07, 2008 4:26 am

Just to rule out kernel problems, what output does the following command generate?

Code: Select all
[root@Freesco] grep -i masq /proc/ksyms


0015eb40 register_ip_masq_app
0015eba4 unregister_ip_masq_app
0015f2c8 ip_masq_skb_replace
0015b1ac ip_masq_out_get_ipsec
0015aeac ip_masq_in_get_ipsec
0015b230 ip_masq_out_get_isakmp
0015af84 ip_masq_in_get_isakmp
0015c2a8 ip_fw_masq_esp
0015c950 ip_fw_demasq_esp
0015bbb8 ip_fw_masq_gre
0015be68 ip_fw_demasq_gre
0015bee8 ip_masq_pptp
0015b8f8 ip_masq_new
0015bb18 ip_masq_set_expire
001e059c ip_masq_free_ports
001e0620 ip_masq_expire
0015abb0 ip_masq_hash
0015ac68 ip_masq_unhash
0015b0a8 ip_masq_out_get_2


The addresses may be different, but you should get to see:
  • IPsec masquerade: ip_masq_out_get_isakmp, ip_masq_in_get_isakmp, ip_fw_masq_esp and ip_fw_demasq_esp
    </li>
  • PPTP masquerade: ip_fw_masq_gre and ip_fw_demasq_gre
    </li>
  • PPTP Call-ID masquerade: ip_masq_pptp</li>
source: <a href='http://tldp.org/HOWTO/VPN-Masquerade-HOWTO-3.html' target='_blank'>http://tldp.org/HOWTO/VPN-Masquerade-HOWTO-3.html</a>
GreetZ
http://dingetje.homeip.net

"Software is like sex: it's better when it's free." - LINUS TORVALDS
User avatar
dingetje
FREESCO GURU !!
 
Posts: 1004
Joined: Wed Nov 14, 2001 12:13 pm
Location: The Netherlands

Postby ken-neptune » Thu Jan 15, 2009 5:58 pm

Hi dingetje,

Back to this old chestnut again, I'm running PoPToP now, so it's sort of worked around (just have to remember lan ip addresses for now), now running Freesco 0.4.0, now using the ext2 file system on my HDD, but, the same lack of incoming forwarding of Gre 47 packets is prevalent, both with the default kernel and kernel-040.686-vipc-cd-triton-power_off (which I'm running now), this would be a showstopper if it wasn't for PoPToP.

I've tried that test you suggested with the following result - "sed: can't open masq".

I looked at the site you referenced, and the other suggested method (as I understand) of disclosing pptp support, lsmod, fails to show ip_masq_ipsec or ip_masq_pptp in the output.

Daft and possibly hard to answer question; is everything enabled in kernel 2.0.40 that should be? Any easy, relatively idiot proof way to find out? And if it needs enabling, any way a windoze dependent idiot (me :wacko: ) could do it without needing therapy, or too much hand holding.

New report attached (hopefully)

Best new year wishes,
Ken Phillips

Report should be attached now. I'm sure I did the deed properly last time, AARGH!
User avatar
ken-neptune
Newbie
 
Posts: 7
Joined: Sat Oct 04, 2008 11:00 am
Location: Blackburn, UK

Postby Lightning » Thu Jan 15, 2009 7:12 pm

I looked at the site you referenced, and the other suggested method (as I understand) of disclosing pptp support, lsmod, fails to show ip_masq_ipsec or ip_masq_pptp in the output.
You will never see these options as modules because they are now built into the kernel and not included as modules.

Unfortunately there is no report to look at :(
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 3052
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Postby dingetje » Fri Jan 16, 2009 1:53 am

I'm glad to hear the PopTop package saved the day :)

"sed: can't open masq"
is most likely the result of a syntax error in the command you've typed. Best practice is to copy/paste it from my post in the PuTTY window and try again.
GreetZ
http://dingetje.homeip.net

"Software is like sex: it's better when it's free." - LINUS TORVALDS
User avatar
dingetje
FREESCO GURU !!
 
Posts: 1004
Joined: Wed Nov 14, 2001 12:13 pm
Location: The Netherlands

Postby matcarls » Fri Jan 16, 2009 3:26 am

Hi there again.

I am glad to hear it is not only me sitting duck in this boat. I thought 040 would fix this, but I haven't tried it out yet. We had to switch firewall to a Linksys to get this vpn working. It was with a tear in my eye I closed down the Freesco. I do hope to bring it back though once this issue is solved.

/ Mattias C
______________________<br><b>Mattias Carlsson</b><br><a href='mailto:mattias.carlsson@fls.se'>mattias.carlsson@fls.se</a>
User avatar
matcarls
Newbie
 
Posts: 8
Joined: Mon Feb 03, 2003 6:24 am
Location: Sweden

Postby ken-neptune » Fri Jan 16, 2009 8:00 am

dingetje wrote: is most likely the result of a syntax error in the command you've typed. Best practice is to copy/paste it from my post in the PuTTY window and try again.

dingetje

Just to be thorough (and because I understand the reasoning :P) I tried your suggestion of copy and paste for the suggested command, did it through Putty this time as well (just for a change), however, the beasts output was the same, I've only just really migrated to 0.4.0, but, did try the grep thing on 0.3.8 as well beforehand and unfortunately got the same error.

Yes, PopToP is doing the deed, even allowing me to access pretty much every machine on my Lan, it's just a bit untidy having to do it via IP addresses, instead of machine names, however, without letting Freesco do all the DHCP and DNS stuff that my windows 2k3 server needs to do, I'm at a bit of a loss, but, at least I can do something with it now.

Would still love to get this incoming Gre 47 forwarding working though, and, so I'm open to virtually any suggestions, apart from google it, coz, I've done that to death, to absolutely no avail :blink:.

Best wishes,
Ken Phillips

P.S. rectified lack of report in earlier posting.
User avatar
ken-neptune
Newbie
 
Posts: 7
Joined: Sat Oct 04, 2008 11:00 am
Location: Blackburn, UK

Next

Return to FREESCO Support for v0.3.x

Who is online

Users browsing this forum: No registered users and 1 guest

cron