[VPN] PPTP client connections OK but can't ping remote host

Vieri Di Paola vieridipaola at yahoo.com
Thu Sep 16 10:43:25 EDT 2004 

Hi,

I'm running SuSE 9.0 with SuSEfirewall2 and poptop.
I'm trying to connect from a Windows PPTP client to
the Linux box. Connection succeeds (chap
authentication ok). However, once connected, I can't
PING to any remote host (neither the Linux server nor
the PCs behind it, on the remote LAN).

I noticed that if I bring SuSEfirewall2 down and I
repeat the latter operation, my Windows client can
ping the Linux server just fine, but won't ping the
hosts behind it probably because forwarding is
disabled (? - not really an expert in this). 

So I guess my problem is that I missed something in
the SuSEfirewall2 configuration (is there a SuSE user
out there?). Here are my settings:
Linux server eth0 has public WAN IP, eth1 has private
IP 192.168.1.92.
Eth1 links to a switch to which the remote LAN's PCs
are connected (all are within the 192.168.1.0 range).
Server-side connectivity is OK (I can ping to LAN PCs
from within 192.168.1.92).

Yast configuration is as follows:
* IP forwarding enabled
* susefirewall2 config file:
FW_QUICKMODE="no"
FW_DEV_EXT="eth0 ppp0"
FW_DEV_INT="eth1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="no"
FW_SERVICES_EXT_TCP="pptp http https 137"
FW_SERVICES_EXT_UDP="137 500"
FW_SERVICES_EXT_IP="gre icmp 50 51"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="137"
FW_SERVICES_INT_UDP="137"
FW_SERVICES_INT_IP="gre icmp"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options
--log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="yes"
FW_ALLOW_PING_EXT="yes"

>From Window client I can connect and a fixed IP is
assigned: 192.168.1.101.
If I try to ping the remote 192.168.1.92 Linux server
(for example; or any other PC on the remote LAN) and I
check the Linux server's SYSLOG messages, I get:

kernel: SUSE-FW-DROP-ANTI-SPOOF IN=ppp0 OUT=eth1
SRC=192.168.1.101 DST=192.168.1.92 LEN=78 TTL=127
PROTO=UDP SPT=137 DTP=137 LEN=58

So, pinging the Linux server or any host behind it
(192.168.1.xxx)from the Windows client doesn't give
any response.

Any suggestions?

I am thinking of installing Shorewall; maybe it's more
complete than SuSEfirewall2. Or maybe I could learn
iptables... Is anyone interested in seeing my iptables
-L -n?

Regards,

Vieri



	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail

More information about the VPN mailing list