This patch is primarily for masquerading PPTP clients:
PPTP Linux PPTP Client -+-> Masq and --> Internet --> Firewall --> Server | Firewall Others -'
If you have a PPTP server behind a Linux firewall...
...then you will need this patch if your PPTP server does not have a valid Internet IP address, in order to masquerade the PPTP traffic outbound from the server. You will also need the ipportfw port-forwarding kernel patch and configuration tool to forward the initial 1723/TCP control channel traffic and the IPFwd generic IP forwarding utility to forward the initial GRE traffic in to your server. Details are available in the PPTP Masquerade HOWTO.PPTP Linux PPTP Client --> Internet --> Firewall --> Server
Once this patch is installed, you will no longer need to dial your ISP directly from your PPTP client to access your PPTP server. This means that all of the benefits of Linux masqueraded access to the Internet remain available even while you are using PPTP to access a remote network - assuming, of course, your PPTP server is available over the Internet. If it isn't then this patch probably won't buy you much.
In fact, with proper configuration of your local network you can simultaneously access the Internet and your private (corporate?) network (over PPTP) from all of the computers on your local network. I do this regularly while working from my home. Note for W'95/'98 PPTP client users: sorry, but the W'95/'98 IP stack does not support forwarding (can we say "Brain Dead"?) or more than one PPTP session.
You can download the patch from:
[
HTTP Mirror 1 |
HTTP Mirror 2 |
FTP Mirror 1 |
Linux Mama
]
Version 2.0, which implements Call ID masquerading, is available:
[
HTTP Mirror 1 |
HTTP Mirror 2 |
FTP Mirror 1
]
According to Alan Cox, this will be going into the 2.0.37 kernel.
To download using Lynx: highlight the link, press "d" (download), and select "Save to Disk".
Second, make sure that you have IP Masquerading compiled into your kernel and working properly. Setting up masquerading itself is beyond the scope of this document, and there is a HOWTO already available that describes the process. Also, I have written a GUI wrapper for the ipfwadm command that makes managing firewall and masquerade setup easier.
Third, make sure that PPTP works when you dial your ISP directly from your PPTP client system. This modification will go down much more easily if you take small bites and chew them thoroughly. Said another way, don't try to change six things simultaneously...
To install the PPTP Masquerade patch, follow the directions given in the
PPTP Masquerade HOWTO, available at:
[
HTTP Mirror 1 |
HTTP Mirror 2 |
FTP Mirror 1
]
Please visit the Microsoft security announcements site for an important PPTP security update for Microsoft PPTP clients and servers. You may also be interested in an analysis of Microsoft's implementation of the PPTP protocol by one of the most respected members of the Crypto community. Other analyses are available here and here.
Profuse thanks to Gordon
Chaffee for coding and sharing a patch to traceroute that allows tracing
GRE traffic. It should prove invaluable in troubleshooting if your GRE traffic
is being blocked somewhere. Get the patch from:
[
HTTP Mirror 1 |
HTTP Mirror 2 |
FTP Mirror 1
]
The code changes are fairly simple and are restricted entirely to ip_masq.c - basically all I've added is NAT for GRE. (Of course, the Call-ID masquerading makes it a little more complex...)
I've been using this with great success since September 7, 1997.
I only have an x86 box to test this on (hence the "x86 only" comment above). Comments from users on other architectures are welcome.
The 2.1.65+ kernels natively support a tunnelling protocol based on GRE, but do not support PPTP natively in any way. See the HOWTO for more details on 2.1.x and 2.2.x kernels.
There is also work proceeding on a native Linux PPTP client and server. Note that this software currently does not support encryption, but see this site for what appears to be a M$-compatible encryption/compression patch for pppd...
This patch currently conflicts with the IP Firewall Chains patch in trying to patch the kernel config files. This is non-critical. See the HOWTO for more details.
I am currently developing Masquerade for IPSEC and ISAKMP. If you use IPSEC/ISAKMP and would be willing to test masquerade of encrypted traffic, drop me a line. Please do not contact me unless you already have working IPSEC/ISAKMP in place. Note that this is intended to allow use of an IPSEC host from behind a masquerading firewall in the same manner that the PPTP patch allows you to use a PPTP host from behind a masquerading firewall. If you want to implement an IPSEC-based VPN, please visit the Linux FreeS/WAN site.
Disclaimer: No guarantees of functionality. Keep a working compiled kernel around in case this blows up.
The Linux Webring:
[ Home |
Index |
Next |
Prev |
Random |
Stats ]
Best viewed with
Any Browser