Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Getting a VPN through a firewall?
- Thread starter drfish
- Start date
- Thread starter
- #2
Any help please? The firewall looks like this:
remote ipfilter flush input internet
# remote ipfilter flush output internet
# remote ipfilter flush transmit internet
# remote ipfilter flush receive internet
# eth ip filter flush input 0
# eth ip filter flush output 0
# eth ip filter flush transmit 0
# eth ip filter flush receive 0
# remote ipfilter append input drop -p tcp -tcp syn internet
# remote ipfilter append input accept -p tcp -sp 80 internet
# remote ipfilter append output accept -p tcp -dp 80 internet
# remote ipfilter append input accept -p tcp -sp 443 internet
# remote ipfilter append output accept -p tcp -dp 443 internet
# remote ipfilter append input accept -p tcp -sp 25 internet
# remote ipfilter append output accept -p tcp -dp 25 internet
# remote ipfilter append input accept -p tcp -sp 110 internet
# remote ipfilter append output accept -p tcp -dp 110 internet
# remote ipfilter append receive accept -p udp -dp 8123 -sp 123 internet
# remote ipfilter append transmit accept -p udp -dp 123 -sp 8123 internet
# remote ipfilter append input accept -p udp -sp 123 internet
# remote ipfilter append output accept -p udp -dp 123 internet
# eth ip filter append output drop -p udp -sp 123 0
# eth ip filter append output drop -p udp -dp 123 0
# remote ipfilter append input accept -p tcp -sp 23 internet
# remote ipfilter append output accept -p tcp -dp 23 internet
# remote ipfilter append input accept -p udp -sp 53 internet
# remote ipfilter append output accept -p udp -dp 53 internet
# remote ipfilter append input accept -p tcp -sp 20:21 internet
# remote ipfilter append output accept -p tcp -dp 20:21 internet
# remote ipfilter append input accept -p udp -sp 1701 internet
# remote ipfilter append output accept -p udp -dp 1701 internet
# eth ip filter append output drop -p udp -sp 1701 0
# eth ip filter append output drop -p udp -dp 1701 0
# remote ipfilter append input accept -p udp -sp 500 -dp 500 internet
# remote ipfilter append input accept -p 50 internet
# remote ipfilter append input accept -p 51 internet
# remote ipfilter append output accept -p udp -sp 500 -dp 500 internet
# remote ipfilter append output accept -p 50 internet
# remote ipfilter append output accept -p 51 internet
# remote ipfilter append input drop internet
# remote ipfilter append output drop internet
# remote ipfilter watch on internet
# save
#
Are there some lines I need to remove that will let my VPN connect? Which ones? Is there any other way to do it?
remote ipfilter flush input internet
# remote ipfilter flush output internet
# remote ipfilter flush transmit internet
# remote ipfilter flush receive internet
# eth ip filter flush input 0
# eth ip filter flush output 0
# eth ip filter flush transmit 0
# eth ip filter flush receive 0
# remote ipfilter append input drop -p tcp -tcp syn internet
# remote ipfilter append input accept -p tcp -sp 80 internet
# remote ipfilter append output accept -p tcp -dp 80 internet
# remote ipfilter append input accept -p tcp -sp 443 internet
# remote ipfilter append output accept -p tcp -dp 443 internet
# remote ipfilter append input accept -p tcp -sp 25 internet
# remote ipfilter append output accept -p tcp -dp 25 internet
# remote ipfilter append input accept -p tcp -sp 110 internet
# remote ipfilter append output accept -p tcp -dp 110 internet
# remote ipfilter append receive accept -p udp -dp 8123 -sp 123 internet
# remote ipfilter append transmit accept -p udp -dp 123 -sp 8123 internet
# remote ipfilter append input accept -p udp -sp 123 internet
# remote ipfilter append output accept -p udp -dp 123 internet
# eth ip filter append output drop -p udp -sp 123 0
# eth ip filter append output drop -p udp -dp 123 0
# remote ipfilter append input accept -p tcp -sp 23 internet
# remote ipfilter append output accept -p tcp -dp 23 internet
# remote ipfilter append input accept -p udp -sp 53 internet
# remote ipfilter append output accept -p udp -dp 53 internet
# remote ipfilter append input accept -p tcp -sp 20:21 internet
# remote ipfilter append output accept -p tcp -dp 20:21 internet
# remote ipfilter append input accept -p udp -sp 1701 internet
# remote ipfilter append output accept -p udp -dp 1701 internet
# eth ip filter append output drop -p udp -sp 1701 0
# eth ip filter append output drop -p udp -dp 1701 0
# remote ipfilter append input accept -p udp -sp 500 -dp 500 internet
# remote ipfilter append input accept -p 50 internet
# remote ipfilter append input accept -p 51 internet
# remote ipfilter append output accept -p udp -sp 500 -dp 500 internet
# remote ipfilter append output accept -p 50 internet
# remote ipfilter append output accept -p 51 internet
# remote ipfilter append input drop internet
# remote ipfilter append output drop internet
# remote ipfilter watch on internet
# save
#
Are there some lines I need to remove that will let my VPN connect? Which ones? Is there any other way to do it?
- Thread starter
- #4
I've just gotten that far on my own, I think I need to add this to the above:
# remote ipfilter insert input accept -p tcp -dp 1723
# remote ipfilter insert output accept -p tcp -sp 1723
Does that look right? Can I stick it in anywhere?
I'm teaching myself as I go so first I want to get the VPN through the firewall and then I'll secure it more by going with IPsec... But from what you're saying it should already let an IPsec VPN connection through?
# remote ipfilter insert input accept -p tcp -dp 1723
# remote ipfilter insert output accept -p tcp -sp 1723
Does that look right? Can I stick it in anywhere?
I'm teaching myself as I go so first I want to get the VPN through the firewall and then I'll secure it more by going with IPsec... But from what you're saying it should already let an IPsec VPN connection through?
This amy work better:
# remote ipfilter append input accept -p udp -dp 1723 internet
# remote ipfilter append output accept -p udp -sp 1723 internet
It should already let IPSec through, but I should warn you that IPSec does not play well with NAT. If you have NAT (especially at the client end) you will have all sorts of problems unless the routers on both ends are the same and support NAT-T.
# remote ipfilter append input accept -p udp -dp 1723 internet
# remote ipfilter append output accept -p udp -sp 1723 internet
It should already let IPSec through, but I should warn you that IPSec does not play well with NAT. If you have NAT (especially at the client end) you will have all sorts of problems unless the routers on both ends are the same and support NAT-T.
- Thread starter
- #6
Thanks for your help, I tried adding what you suggested but it didn't work. To make sure I was doing it right at all I also added this,
# remote ipfilter append input accept -p tcp -sp 5190 internet
# remote ipfilter append output accept -p tcp -dp 5190 internet
to let ICQ get though and it worked fine. I tried changing the udp in your suggestion to tcp but that didn't work either. I'll keeep trying, but any other suggestions would be nice.
Thanks again.
# remote ipfilter append input accept -p tcp -sp 5190 internet
# remote ipfilter append output accept -p tcp -dp 5190 internet
to let ICQ get though and it worked fine. I tried changing the udp in your suggestion to tcp but that didn't work either. I'll keeep trying, but any other suggestions would be nice.
Thanks again.
- Thread starter
- #8
No additional software... Just win98 trying to get in and a win2k server. Should I be using 3rd party software (recommendations?)? Will I need to when I set it up as IPsec? I thought I would then, but for now I thought windows would do everything I need. Thanks.
- Thread starter
- #10
I'm looking at the port monitor when I try to connect to the VPN and I can see that the remote computer is going to port 1723, it looks like this:
IP-FILTER: IROTO 6 (TCP) pkt from x.x.x.x/1027
IP-FILTER: to x.x.x.x/1723 dropped, SYN Flag
it shows that twice. Every time I try it the 1027 goes up by one (1028, 1029, 1030, etc). Do I need to do something with that? I am currently using this:
remote ipfilter append input accept -p udp -sp 1723 internet
remote ipfilter append output accept -p udp -dp 1723 internet
to open that port, I switched the -sp with the -dp because that's the way it is in all the other commands. It seems like it should work...
IP-FILTER: I
ROTO 6 (TCP) pkt from x.x.x.x/1027IP-FILTER: to x.x.x.x/1723 dropped, SYN Flag
it shows that twice. Every time I try it the 1027 goes up by one (1028, 1029, 1030, etc). Do I need to do something with that? I am currently using this:
remote ipfilter append input accept -p udp -sp 1723 internet
remote ipfilter append output accept -p udp -dp 1723 internet
to open that port, I switched the -sp with the -dp because that's the way it is in all the other commands. It seems like it should work...
- Thread starter
- #12
- Thread starter
- #13
- Thread starter
- #14
John Lewis
Programmer
remote ipfilter append input accept -p tcp -sp 47 internet
remote ipfilter append output accept -p tcp -dp 47 internet
should be:
remote ipfilter append input accept -p 47 internet
remote ipfilter append output accept -p 47 internet
You need to let protocol 47 through, the rule you had specified protocol tcp on port 47.
remote ipfilter append output accept -p tcp -dp 47 internet
should be:
remote ipfilter append input accept -p 47 internet
remote ipfilter append output accept -p 47 internet
You need to let protocol 47 through, the rule you had specified protocol tcp on port 47.
- Thread starter
- #16
That didn't work either...
This is what it looks like currently:
remote ipfilter flush input internet
remote ipfilter flush output internet
remote ipfilter flush transmit internet
remote ipfilter flush receive internet
eth ip filter flush input 0
eth ip filter flush output 0
eth ip filter flush transmit 0
eth ip filter flush receive 0
remote ipfilter append input drop -p tcp -tcp syn internet
remote ipfilter append input accept -p tcp -sp 80 internet
remote ipfilter append output accept -p tcp -dp 80 internet
remote ipfilter append input accept -p tcp -sp 443 internet
remote ipfilter append output accept -p tcp -dp 443 internet
remote ipfilter append input accept -p tcp -sp 25 internet
remote ipfilter append output accept -p tcp -dp 25 internet
remote ipfilter append input accept -p tcp -sp 110 internet
remote ipfilter append output accept -p tcp -dp 110 internet
remote ipfilter append receive accept -p udp -dp 8123 -sp 123 internet
remote ipfilter append transmit accept -p udp -dp 123 -sp 8123 internet
remote ipfilter append input accept -p udp -sp 123 internet
remote ipfilter append output accept -p udp -dp 123 internet
eth ip filter append output drop -p udp -sp 123 0
eth ip filter append output drop -p udp -dp 123 0
remote ipfilter append input accept -p tcp -sp 23 internet
remote ipfilter append output accept -p tcp -dp 23 internet
remote ipfilter append input accept -p udp -sp 53 internet
remote ipfilter append output accept -p udp -dp 53 internet
remote ipfilter append input accept -p tcp -sp 20:21 internet
remote ipfilter append output accept -p tcp -dp 20:21 internet
remote ipfilter append input accept -p udp -sp 1701 internet
remote ipfilter append output accept -p udp -dp 1701 internet
eth ip filter append output drop -p udp -sp 1701 0
eth ip filter append output drop -p udp -dp 1701 0
remote ipfilter append input accept -p udp -sp 500 -dp 500 internet
remote ipfilter append input accept -p 50 internet
remote ipfilter append input accept -p 51 internet
remote ipfilter append output accept -p udp -sp 500 -dp 500 internet
remote ipfilter append output accept -p 50 internet
remote ipfilter append output accept -p 51 internet
remote ipfilter append input accept -p 47 internet
remote ipfilter append output accept -p 47 internet
remote ipfilter append input accept -p udp -sp 1723 internet
remote ipfilter append output accept -p udp -dp 1723 internet
remote ipfilter append input accept -p tcp -sp 5190 internet
remote ipfilter append output accept -p tcp -dp 5190 internet
remote ipfilter append input drop internet
remote ipfilter append output drop internet
remote ipfilter watch on internet
save
Thanks for your help though.
This is what it looks like currently:
remote ipfilter flush input internet
remote ipfilter flush output internet
remote ipfilter flush transmit internet
remote ipfilter flush receive internet
eth ip filter flush input 0
eth ip filter flush output 0
eth ip filter flush transmit 0
eth ip filter flush receive 0
remote ipfilter append input drop -p tcp -tcp syn internet
remote ipfilter append input accept -p tcp -sp 80 internet
remote ipfilter append output accept -p tcp -dp 80 internet
remote ipfilter append input accept -p tcp -sp 443 internet
remote ipfilter append output accept -p tcp -dp 443 internet
remote ipfilter append input accept -p tcp -sp 25 internet
remote ipfilter append output accept -p tcp -dp 25 internet
remote ipfilter append input accept -p tcp -sp 110 internet
remote ipfilter append output accept -p tcp -dp 110 internet
remote ipfilter append receive accept -p udp -dp 8123 -sp 123 internet
remote ipfilter append transmit accept -p udp -dp 123 -sp 8123 internet
remote ipfilter append input accept -p udp -sp 123 internet
remote ipfilter append output accept -p udp -dp 123 internet
eth ip filter append output drop -p udp -sp 123 0
eth ip filter append output drop -p udp -dp 123 0
remote ipfilter append input accept -p tcp -sp 23 internet
remote ipfilter append output accept -p tcp -dp 23 internet
remote ipfilter append input accept -p udp -sp 53 internet
remote ipfilter append output accept -p udp -dp 53 internet
remote ipfilter append input accept -p tcp -sp 20:21 internet
remote ipfilter append output accept -p tcp -dp 20:21 internet
remote ipfilter append input accept -p udp -sp 1701 internet
remote ipfilter append output accept -p udp -dp 1701 internet
eth ip filter append output drop -p udp -sp 1701 0
eth ip filter append output drop -p udp -dp 1701 0
remote ipfilter append input accept -p udp -sp 500 -dp 500 internet
remote ipfilter append input accept -p 50 internet
remote ipfilter append input accept -p 51 internet
remote ipfilter append output accept -p udp -sp 500 -dp 500 internet
remote ipfilter append output accept -p 50 internet
remote ipfilter append output accept -p 51 internet
remote ipfilter append input accept -p 47 internet
remote ipfilter append output accept -p 47 internet
remote ipfilter append input accept -p udp -sp 1723 internet
remote ipfilter append output accept -p udp -dp 1723 internet
remote ipfilter append input accept -p tcp -sp 5190 internet
remote ipfilter append output accept -p tcp -dp 5190 internet
remote ipfilter append input drop internet
remote ipfilter append output drop internet
remote ipfilter watch on internet
save
Thanks for your help though.
John Lewis
Programmer
Didn't pay attention to some of the messages in between. The protocol for port 1723 should be tcp, not udp. You had it right somewhere along the way.
Fish...check this out. It might help.
Also...you are using PPTP.....not L2TP as mentioned in a earlier thread.
Also...you are using PPTP.....not L2TP as mentioned in a earlier thread.
- Status
Similar threads
- Locked
- Question