Mailing List Archive

NAT rules for VPN only allowing one user?
Hello:

I have a Linux machine acting as a firewall for my
network. I have a couple of remote users that need
access to the internal network, so I put a Linksys
RV042 VPN Router on my internal switch.

On the Linux box, I set these iptables rules (Line breaks
added for readability):

/sbin/iptables -t nat -A PREROUTING -p tcp
-i eth0 -d $ETH0_IP
--sport 1024: --dport 1723
-j DNAT --to $LINKSYS_VPN_IP:1723
/sbin/iptables -A FORWARD -i eth0 -o eth1
-d $LINKSYS_VPN_IP -p tcp
--sport 1024: --dport 1723
-m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1
-d $LINKSYS_VPN_IP -p tcp --dport 1723
-j SNAT --to-source $ETH1_IP
/sbin/iptables -t nat -A PREROUTING -p gre -i eth0
-j DNAT --to $LINKSYS_VPN_IP
/sbin/iptables -A FORWARD -i eth0 -o eth1
-d $LINKSYS_VPN_IP -p gre -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1
-d $LINKSYS_VPN_IP -p gre -j SNAT --to-source $ETH1_IP
/sbin/iptables -t nat -A PREROUTING -s $LINKSYS_VPN_IP
-d $ETH1_IP -p gre -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0
-s $LINKSYS_VPN_IP -p gre -j ACCEPT

Either one of my remote users can connect to the VPN using
the Windows XP VPN client. But, if one of them is connected
and the other tries to connect, the second person gets to
the verifying username and password screen and then
gets an Error 619 that they are not able to connect.

I think somehow the existing connection is mis-routing
the login for the second connection.

Any ideas what could be going on?

Thanks,
Neil


--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
FREE! Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.
Re: NAT rules for VPN only allowing one user? [ In reply to ]
On May 29 2007 12:31, Neil Aggarwal wrote:

>/sbin/iptables -t nat -A POSTROUTING -o eth1
> -d $LINKSYS_VPN_IP -p tcp --dport 1723
> -j SNAT --to-source $ETH1_IP

This is redundant.

>Either one of my remote users can connect to the VPN using
>the Windows XP VPN client. But, if one of them is connected
>and the other tries to connect, the second person gets to
>the verifying username and password screen and then
>gets an Error 619 that they are not able to connect.
>
>I think somehow the existing connection is mis-routing
>the login for the second connection.
>
>Any ideas what could be going on?

Use the holy tcpdump.


Jan
--
RE: NAT rules for VPN only allowing one user? [ In reply to ]
Jan:

Actually, I need the SNAT rule to make my remote
users look like they are coming from the local network.

For some reason, the Linksys does not respond to the
connection unless I have that.

Thanks,
Neil

--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
FREE! Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jan Engelhardt
Sent: Tuesday, May 29, 2007 1:13 PM
To: Neil Aggarwal
Cc: netfilter@lists.netfilter.org
Subject: Re: NAT rules for VPN only allowing one user?

On May 29 2007 12:31, Neil Aggarwal wrote:

>/sbin/iptables -t nat -A POSTROUTING -o eth1
> -d $LINKSYS_VPN_IP -p tcp --dport 1723
> -j SNAT --to-source $ETH1_IP

This is redundant.

>Either one of my remote users can connect to the VPN using
>the Windows XP VPN client. But, if one of them is connected
>and the other tries to connect, the second person gets to
>the verifying username and password screen and then
>gets an Error 619 that they are not able to connect.
>
>I think somehow the existing connection is mis-routing
>the login for the second connection.
>
>Any ideas what could be going on?

Use the holy tcpdump.


Jan
--
Re: NAT rules for VPN only allowing one user? [ In reply to ]
Hey,

This sounds like a problem on the VPN gateway device, you should remove the rule:

"/sbin/iptables -t nat -A POSTROUTING -o eth1
-d $LINKSYS_VPN_IP -p tcp --dport 1723
-j SNAT --to-source $ETH1_IP"

And resolve that issue, what is most likely currently happening. Your VPN router is only setup for or only supports 1 VPN connection per IP address. So a second connection
would over write the first one.

Michael

Neil Aggarwal wrote:
> Jan:
>
> Actually, I need the SNAT rule to make my remote
> users look like they are coming from the local network.
>
> For some reason, the Linksys does not respond to the
> connection unless I have that.
>
> Thanks,
> Neil
>
> --
> Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
> FREE! Eliminate junk email and reclaim your inbox.
> Visit http://www.spammilter.com for details.
>
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jan Engelhardt
> Sent: Tuesday, May 29, 2007 1:13 PM
> To: Neil Aggarwal
> Cc: netfilter@lists.netfilter.org
> Subject: Re: NAT rules for VPN only allowing one user?
>
> On May 29 2007 12:31, Neil Aggarwal wrote:
>
>> /sbin/iptables -t nat -A POSTROUTING -o eth1
>> -d $LINKSYS_VPN_IP -p tcp --dport 1723
>> -j SNAT --to-source $ETH1_IP
>
> This is redundant.
>
>> Either one of my remote users can connect to the VPN using
>> the Windows XP VPN client. But, if one of them is connected
>> and the other tries to connect, the second person gets to
>> the verifying username and password screen and then
>> gets an Error 619 that they are not able to connect.
>>
>> I think somehow the existing connection is mis-routing
>> the login for the second connection.
>>
>> Any ideas what could be going on?
>
> Use the holy tcpdump.
>
>
> Jan

--
Michael Gale

Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.
RE: NAT rules for VPN only allowing one user? [ In reply to ]
So this is a limitation of the Linksys router, correct? What are the
real requirements for user connections?

Linksys has the BEFVP41, that supports up to 50 VPN connections. Maybe
an upgrade to this box is in order. It's on Amazon for $99. What
router are you using right now? If it's a WRT54 series wireless router,
there might even be an image you can flash it with to do what you want
right now.

Martin


Martin McKeay, CISSP, GSNA
Product Evangelist
StillSecure
martin@stillsecure.com
707-495-7926
http://cobia.stillsecure.com/mckeay

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Michael Gale
Sent: Wednesday, May 30, 2007 8:37 AM
To: Neil Aggarwal
Cc: netfilter@lists.netfilter.org
Subject: Re: NAT rules for VPN only allowing one user?

Hey,

This sounds like a problem on the VPN gateway device, you should remove
the rule:

"/sbin/iptables -t nat -A POSTROUTING -o eth1
-d $LINKSYS_VPN_IP -p tcp --dport 1723
-j SNAT --to-source $ETH1_IP"

And resolve that issue, what is most likely currently happening. Your
VPN router is only setup for or only supports 1 VPN connection per IP
address. So a second connection would over write the first one.

Michael

Neil Aggarwal wrote:
> Jan:
>
> Actually, I need the SNAT rule to make my remote users look like they
> are coming from the local network.
>
> For some reason, the Linksys does not respond to the connection unless

> I have that.
>
> Thanks,
> Neil
>
> --
> Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com FREE! Eliminate
> junk email and reclaim your inbox.
> Visit http://www.spammilter.com for details.
>
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jan
> Engelhardt
> Sent: Tuesday, May 29, 2007 1:13 PM
> To: Neil Aggarwal
> Cc: netfilter@lists.netfilter.org
> Subject: Re: NAT rules for VPN only allowing one user?
>
> On May 29 2007 12:31, Neil Aggarwal wrote:
>
>> /sbin/iptables -t nat -A POSTROUTING -o eth1
>> -d $LINKSYS_VPN_IP -p tcp --dport 1723
>> -j SNAT --to-source $ETH1_IP
>
> This is redundant.
>
>> Either one of my remote users can connect to the VPN using the
>> Windows XP VPN client. But, if one of them is connected and the
>> other tries to connect, the second person gets to the verifying
>> username and password screen and then gets an Error 619 that they are

>> not able to connect.
>>
>> I think somehow the existing connection is mis-routing the login for
>> the second connection.
>>
>> Any ideas what could be going on?
>
> Use the holy tcpdump.
>
>
> Jan

--
Michael Gale

Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.
RE: NAT rules for VPN only allowing one user? [ In reply to ]
Martin:

I am using a LinkSys RV042. Since my remote users are
using the Microsoft XP VPN client, I set up the
PPTP server on the router.

I will have to investigate.

Thanks,
Neil

--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
FREE! Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Martin McKeay
Sent: Wednesday, May 30, 2007 10:17 AM
To: netfilter@lists.netfilter.org
Subject: RE: NAT rules for VPN only allowing one user?

So this is a limitation of the Linksys router, correct? What are the
real requirements for user connections?

Linksys has the BEFVP41, that supports up to 50 VPN connections. Maybe
an upgrade to this box is in order. It's on Amazon for $99. What
router are you using right now? If it's a WRT54 series wireless router,
there might even be an image you can flash it with to do what you want
right now.

Martin


Martin McKeay, CISSP, GSNA
Product Evangelist
StillSecure
martin@stillsecure.com
707-495-7926
http://cobia.stillsecure.com/mckeay

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Michael Gale
Sent: Wednesday, May 30, 2007 8:37 AM
To: Neil Aggarwal
Cc: netfilter@lists.netfilter.org
Subject: Re: NAT rules for VPN only allowing one user?

Hey,

This sounds like a problem on the VPN gateway device, you should remove
the rule:

"/sbin/iptables -t nat -A POSTROUTING -o eth1
-d $LINKSYS_VPN_IP -p tcp --dport 1723
-j SNAT --to-source $ETH1_IP"

And resolve that issue, what is most likely currently happening. Your
VPN router is only setup for or only supports 1 VPN connection per IP
address. So a second connection would over write the first one.

Michael

Neil Aggarwal wrote:
> Jan:
>
> Actually, I need the SNAT rule to make my remote users look like they
> are coming from the local network.
>
> For some reason, the Linksys does not respond to the connection unless

> I have that.
>
> Thanks,
> Neil
>
> --
> Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com FREE! Eliminate
> junk email and reclaim your inbox.
> Visit http://www.spammilter.com for details.
>
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jan
> Engelhardt
> Sent: Tuesday, May 29, 2007 1:13 PM
> To: Neil Aggarwal
> Cc: netfilter@lists.netfilter.org
> Subject: Re: NAT rules for VPN only allowing one user?
>
> On May 29 2007 12:31, Neil Aggarwal wrote:
>
>> /sbin/iptables -t nat -A POSTROUTING -o eth1
>> -d $LINKSYS_VPN_IP -p tcp --dport 1723
>> -j SNAT --to-source $ETH1_IP
>
> This is redundant.
>
>> Either one of my remote users can connect to the VPN using the
>> Windows XP VPN client. But, if one of them is connected and the
>> other tries to connect, the second person gets to the verifying
>> username and password screen and then gets an Error 619 that they are

>> not able to connect.
>>
>> I think somehow the existing connection is mis-routing the login for
>> the second connection.
>>
>> Any ideas what could be going on?
>
> Use the holy tcpdump.
>
>
> Jan

--
Michael Gale

Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.
RE: NAT rules for VPN only allowing one user? [ In reply to ]
I took a quick look at the user guide but didn't see a lot of
information on the VPN. Does Linksys have a forum or mailing list that
addresses this? Maybe someone there's run into a similar problem.


Martin McKeay, CISSP, GSNA
Cobia Product Evangelist
StillSecure
martin@stillsecure.com <mailto:mmckeay@stillsecure.com>
707-495-7926
http:// <http:///> www.cobiablog.com



________________________________

From: Neil Aggarwal [mailto:neil@JAMMConsulting.com]
Sent: Wednesday, May 30, 2007 9:23 AM
To: Martin McKeay; netfilter@lists.netfilter.org
Subject: RE: NAT rules for VPN only allowing one user?



Martin:

I am using the LinkSys RV042:
http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US
%2FLayout&cid=1123638171618&pagename=Linksys%2FCommon%2FVisitorWrapper&l
id=7161822279B01
<http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=U
S%2FLayout&cid=1123638171618&pagename=Linksys%2FCommon%2FVisitorWrapper&
lid=7161822279B01>

Neil

--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
FREE! Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com <http://www.spammilter.com> for
details.


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org
<mailto:netfilter-bounces@lists.netfilter.org> ] On Behalf Of Martin
McKeay
Sent: Wednesday, May 30, 2007 10:17 AM
To: netfilter@lists.netfilter.org
Subject: RE: NAT rules for VPN only allowing one user?

So this is a limitation of the Linksys router, correct? What are the
real requirements for user connections?

Linksys has the BEFVP41, that supports up to 50 VPN connections. Maybe
an upgrade to this box is in order. It's on Amazon for $99. What
router are you using right now? If it's a WRT54 series wireless router,
there might even be an image you can flash it with to do what you want
right now.

Martin


Martin McKeay, CISSP, GSNA
Product Evangelist
StillSecure
martin@stillsecure.com
707-495-7926
http://cobia.stillsecure.com/mckeay
<http://cobia.stillsecure.com/mckeay>

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org
<mailto:netfilter-bounces@lists.netfilter.org> ] On Behalf Of Michael
Gale
Sent: Wednesday, May 30, 2007 8:37 AM
To: Neil Aggarwal
Cc: netfilter@lists.netfilter.org
Subject: Re: NAT rules for VPN only allowing one user?

Hey,

This sounds like a problem on the VPN gateway device, you should remove
the rule:

"/sbin/iptables -t nat -A POSTROUTING -o eth1
-d $LINKSYS_VPN_IP -p tcp --dport 1723
-j SNAT --to-source $ETH1_IP"

And resolve that issue, what is most likely currently happening. Your
VPN router is only setup for or only supports 1 VPN connection per IP
address. So a second connection would over write the first one.

Michael
Re: NAT rules for VPN only allowing one user? [ In reply to ]
Neil Aggarwal wrote:
> Hello:
>
> I have a Linux machine acting as a firewall for my
> network. I have a couple of remote users that need
> access to the internal network, so I put a Linksys
> RV042 VPN Router on my internal switch.
>
> On the Linux box, I set these iptables rules (Line breaks
> added for readability):
>
> /sbin/iptables -t nat -A PREROUTING -p tcp
> -i eth0 -d $ETH0_IP
> --sport 1024: --dport 1723
> -j DNAT --to $LINKSYS_VPN_IP:1723
> /sbin/iptables -A FORWARD -i eth0 -o eth1
> -d $LINKSYS_VPN_IP -p tcp
> --sport 1024: --dport 1723
> -m state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -t nat -A POSTROUTING -o eth1
> -d $LINKSYS_VPN_IP -p tcp --dport 1723
> -j SNAT --to-source $ETH1_IP
> /sbin/iptables -t nat -A PREROUTING -p gre -i eth0
> -j DNAT --to $LINKSYS_VPN_IP
> /sbin/iptables -A FORWARD -i eth0 -o eth1
> -d $LINKSYS_VPN_IP -p gre -j ACCEPT
> /sbin/iptables -t nat -A POSTROUTING -o eth1
> -d $LINKSYS_VPN_IP -p gre -j SNAT --to-source $ETH1_IP
> /sbin/iptables -t nat -A PREROUTING -s $LINKSYS_VPN_IP
> -d $ETH1_IP -p gre -j ACCEPT
> /sbin/iptables -A FORWARD -i eth1 -o eth0
> -s $LINKSYS_VPN_IP -p gre -j ACCEPT
>
> Either one of my remote users can connect to the VPN using
> the Windows XP VPN client. But, if one of them is connected
> and the other tries to connect, the second person gets to
> the verifying username and password screen and then
> gets an Error 619 that they are not able to connect.
>
> I think somehow the existing connection is mis-routing
> the login for the second connection.
>

IIRC, for this to work a helper must be loaded to fixup the GRE stream.
And older implementations only allowed one connection. I might be
totally of on this one, but maybe a newer kernel will fix your problem.

You might ask in the netfilter-devel list where there is more expertise
on this.

HTH,
M4
Re: NAT rules for VPN only allowing one user? [ In reply to ]
That is correct.

Please use the latest in stream kernel for your distro, or build the
latest one from kernel.org.

-gc

Martijn Lievaart wrote:

> Neil Aggarwal wrote:
>
>> Hello:
>>
>> I have a Linux machine acting as a firewall for my
>> network. I have a couple of remote users that need
>> access to the internal network, so I put a Linksys
>> RV042 VPN Router on my internal switch.
>>
>> On the Linux box, I set these iptables rules (Line breaks
>> added for readability):
>>
>> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ETH0_IP
>> --sport 1024: --dport 1723 -j DNAT --to $LINKSYS_VPN_IP:1723
>> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP -p
>> tcp --sport 1024: --dport 1723 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP
>> -p tcp --dport 1723 -j SNAT --to-source $ETH1_IP
>> /sbin/iptables -t nat -A PREROUTING -p gre -i eth0 -j DNAT --to
>> $LINKSYS_VPN_IP
>> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP -p
>> gre -j ACCEPT
>> /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP
>> -p gre -j SNAT --to-source $ETH1_IP
>> /sbin/iptables -t nat -A PREROUTING -s $LINKSYS_VPN_IP -d
>> $ETH1_IP -p gre -j ACCEPT
>> /sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP -p
>> gre -j ACCEPT
>>
>> Either one of my remote users can connect to the VPN using
>> the Windows XP VPN client. But, if one of them is connected
>> and the other tries to connect, the second person gets to
>> the verifying username and password screen and then
>> gets an Error 619 that they are not able to connect.
>>
>> I think somehow the existing connection is mis-routing
>> the login for the second connection.
>>
>
>
> IIRC, for this to work a helper must be loaded to fixup the GRE
> stream. And older implementations only allowed one connection. I might
> be totally of on this one, but maybe a newer kernel will fix your
> problem.
>
> You might ask in the netfilter-devel list where there is more
> expertise on this.
>
> HTH,
> M4
>
RE: NAT rules for VPN only allowing one user? [ In reply to ]
Gregory:

I originally installed CentOS 4.4, I have
done some yum updates since the install.

I just ran another yum update and it tells
me there is a 2.6.9-55.EL kernel available.
I started the update just now.

Will that kernel have the fix for the GRE stream
in it?

Thanks,
Neil

--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
FREE! Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Gregory Carter
Sent: Wednesday, May 30, 2007 7:24 PM
To: netfilter@lists.netfilter.org
Subject: Re: NAT rules for VPN only allowing one user?

That is correct.

Please use the latest in stream kernel for your distro, or build the
latest one from kernel.org.

-gc

Martijn Lievaart wrote:

> Neil Aggarwal wrote:
>
>> Hello:
>>
>> I have a Linux machine acting as a firewall for my
>> network. I have a couple of remote users that need
>> access to the internal network, so I put a Linksys
>> RV042 VPN Router on my internal switch.
>>
>> On the Linux box, I set these iptables rules (Line breaks
>> added for readability):
>>
>> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ETH0_IP
>> --sport 1024: --dport 1723 -j DNAT --to $LINKSYS_VPN_IP:1723
>> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP -p
>> tcp --sport 1024: --dport 1723 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP
>> -p tcp --dport 1723 -j SNAT --to-source $ETH1_IP
>> /sbin/iptables -t nat -A PREROUTING -p gre -i eth0 -j DNAT --to
>> $LINKSYS_VPN_IP
>> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP -p
>> gre -j ACCEPT
>> /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP
>> -p gre -j SNAT --to-source $ETH1_IP
>> /sbin/iptables -t nat -A PREROUTING -s $LINKSYS_VPN_IP -d
>> $ETH1_IP -p gre -j ACCEPT
>> /sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP -p
>> gre -j ACCEPT
>>
>> Either one of my remote users can connect to the VPN using
>> the Windows XP VPN client. But, if one of them is connected
>> and the other tries to connect, the second person gets to
>> the verifying username and password screen and then
>> gets an Error 619 that they are not able to connect.
>>
>> I think somehow the existing connection is mis-routing
>> the login for the second connection.
>>
>
>
> IIRC, for this to work a helper must be loaded to fixup the GRE
> stream. And older implementations only allowed one connection. I might
> be totally of on this one, but maybe a newer kernel will fix your
> problem.
>
> You might ask in the netfilter-devel list where there is more
> expertise on this.
>
> HTH,
> M4
>