News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  VPN
linktree Topic: NAT-T in v1.3b2
Pages: [1]
Topic: NAT-T in v1.3b2  (Read 3660 times)
« on: June 22, 2007, 15:03:22 »
zed *
Posts: 7
Hello.

I use Monowall v1.3b2 as Internet gateway. I configured VPN server (L2TP/IPsec, PKI) W2K3 Server in LAN using this scenario:

INTERNET ---> (WAN)  MONOWALL (LAN) ---> W2K3 with L2TP/IPsec. PKI VPN Server


Is it possible to connect to the vpn server from WAN network through monowall ? If it is, how to configure monowall ?
« Reply #1 on: June 22, 2007, 15:24:47 »
markb ****
Posts: 331
You will have to use the inbound NAT to forward the appropriate ports to your L2TP/IPsec server. I believe these are UDP Ports 500 & 1701 and TCP port 50 (Obtained from http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol)  Don't forget to either have the corresponding rules added automatically or create them manually.

Mark.
« Reply #2 on: June 22, 2007, 16:06:27 »
zed *
Posts: 7
I did taht way except port 50, maybe that was the cause of problems (I'll try and let You know about results). Is there any other setting that must be turned on monowal for this scenario ?
« Reply #3 on: June 22, 2007, 17:21:58 »
zed *
Posts: 7
still nothing. any suggestions ?
« Reply #4 on: June 23, 2007, 04:24:08 »
cmb *****
Posts: 851
That may require protocols other than TCP and UDP, which are the only two you can use in inbound NAT. You may have to 1:1 NAT that server to a dedicated public IP to open that. Check your firewall logs when trying to connect and see what's not getting through.
« Reply #5 on: June 23, 2007, 23:17:49 »
zed *
Posts: 7
I've got only 1 public IP so I can not use it in 1:1 NAT...
« Reply #6 on: June 24, 2007, 01:35:32 »
cmb *****
Posts: 851
Quote from: zed on June 23, 2007, 23:17:49
I've got only 1 public IP so I can not use it in 1:1 NAT...

It may not be necessary, check your firewall logs on m0n0wall to see what it's dropping when you try to connect.
« Reply #7 on: June 24, 2007, 11:27:10 »
zed *
Posts: 7
Unfortunately firewall logs shows almost nothing. The only log is below (it was logged after winxp client report that it can not connect because server did not response )

13:07:53.862001 lnc1 @200:3 b 1.1.1.55 -> 192.168.1.5 PR icmp len 20 56 icmp timxceed/reassem for 1.1.1.4,4500 - 1.1.1.4,4500 PR udp len 20 1500 IN NAT

1.1.1.4 - monowall wan ip
1.1.1.55 - winxp client ip
192.168.1.5 - server lan ip
« Reply #8 on: June 28, 2007, 05:11:56 »
cmb *****
Posts: 851
Are you allowing fragmented packets on your firewall rules? I'd try that.
« Reply #9 on: June 28, 2007, 11:37:27 »
zed *
Posts: 7
Yes, all rules were allowed fragmented packets from the beginning.

Ports 500 and 4500 are passed ok (according to logs 500 and 4500 are allowed). I think that natting of port IP 50 (ESP) is the problem...

Right now i use PPTP + W2K3 + RADIUS and it works great, but L2TP/IPSec is very desirable Smiley


P.S. Sorry for my english ...
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines