Date: Tue, 31 Oct 2000 10:18:33 +0200 From: Ruslan Ermilov <ru@sunbay.com> To: Scott Gasch <scott@mail.medsp.com> Cc: questions@FreeBSD.ORG Subject: Re: natd under 4.1.1-STABLE Message-ID: <20001031101833.A58585@sunbay.com> In-Reply-To: <20001030222749.A2237@www.medsp.com>; from scott@mail.medsp.com on Mon, Oct 30, 2000 at 10:27:50PM -0800 References: <20001030222749.A2237@www.medsp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 30, 2000 at 10:27:50PM -0800, Scott Gasch wrote: > Hi all, > > I recently upgraded from 4.0-RELEASE to 4.1.1-STABLE and discovered > that my natd no longer needs a -pptpalias flag on it. Before the > change I used this pptpalias flag to enable my machines behind my bsd > box to use a VPN to work (one at a time): > > natd -l -u -m -s -pptpalias 10.0.0.100 -interface de0 > > I read a couple of things about changes in libalias that make this > pptpalias flag unneeded -- apparently the library can figure it out on > its own now(?). > True. > So after my upgrade I simply omitted the -pptpalias > flag and was able to connect and authenticate to a VPN server without > problems using: > > natd -l -u -m -s -interface de0 > Fine. > But, unfortunately, my connection stopped working normally after the > initial connection. I am able to ping the server on the other end of > the VPN connection... > That certainly indicates that PPTP is working. > but not contact DNS or WINS servers across the > VPN. In addition the connection statistics looked like I was sending > out a lot more data than I was receiving... when usually the inverse > is true. > Maybe, you have some firewall issues with your setup? > I don't know much about GRE or MS-PPTP but I recall something about > GRE packets not having proper to addresses on them and natd needing > help to deliver them (thus the pptpalias flag). So I tried this: > > natd -l -u -m -s -redirect_proto gre 10.0.0.100 -interface de0 > > ...but it doesn't work either. Can someone give me a hand getting my > behind-the-server clients connecting to a corporate (MS) VPN server > again? > I am going to commit the latest PPTP fixes for libalias(3) to RELENG_4 today, I suggest that you try with them. Basically, libalias(3) now transparently handles PPTP. It intercepts control messages going to/from TCP port 1723, and aliases/dealiases Call IDs encountered as appropriate. It also intercepts PPTP GRE traffic to alter the Call IDs there accordingly. There exists one problem -- you can only have one client connecting to the *same* PPTP server at a time. The BUGS section of libalias(3) has this documented. For PPTP clients behind NAT, you do not have to do anything (just make sure firewalls allow for TCP port 1723 and GRE traffic). For PPTP server behind NAT, you need to redirect incoming traffic to TCP port 1723 to a local machine running PPTP server software. -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001031101833.A58585>