Use PPTP. IPSec/L2TP doesn’t work over NAT (yet).
In a nutshell, get PoPToP, PPP, and a recent Linux kernel. Get the MPPE patches from here: http://www.polbox.com/h/hs001/ . Patch, build, install, and reboot with the appropriate support enabled in the kernel config.
My /etc/pptpd.conf file looks like this:
name pptpd
option /etc/ppp/options.pptpd
localip 10.0.2.1
remoteip 10.0.2.2-254
My /etc/ppp/options.pptpd looks like this:
name pptpd
require-mschap-v2
mppe required,stateless
proxyarp
ms-dns <primary DNS IP here>
ms-dns <secondary DNS IP here>
My /etc/ppp/options looks like this:
lock
My /etc/ppp/chap-secrets looks like this:
user1 pptpd user1password *
suer1 pptpd user2password *
(etc.)
Fire up pptpd, turn on packet forwarding, and nat:
iptables -A POSTROUTING -t nat -o eth0 -s 10.0.2.0/24 -d 0/0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
pptpd -c /etc/pptpd.conf
Make sure you have your firewall config right. You need to open port 1723 to the appropriate clients [b:604f8171fc]AND[/b:604f8171fc] pass Proto #47 packets. E.g., a couple sample ipchains rules to do that, might look like this:
ipchains -A input -p tcp -s <client-ip-here> -d <server-ip-here> –destination-port 1723 -j ACCEPT
ipchains -A input -p 47 -s <client-ip-here> -d <server-ip-here> -j ACCEPT
With this config, you should have both Panther and WinXP clients connecting easily, even at the same time behind the same NAT!
Phil 😉
.
.
Comments are closed