• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

VPN out from behind a Linux firewall (RedHat 7).

J

jasonja

Golden Member
I have a Toshiba Magnia SG20 Appliance server that runs RedHat 7.0 connected to my Cable modem. The Magnia is connected to my cable modem and it acts as my firewall and router (dhcp, etc). Most everything works fine or with a little tweaking with IPChains but I can not get my XP machine to connect to my work's VPN server thru the built in XP VPN dialer. I have read all the VPN and masquerading docs I can find. It appears that you need ip_masq_pptp.o module running. This module is on my Magnia but it wasn't loaded. I loaded it using "modprobe ip_masq_pptp.o" along with "modprobe ip_masq_ipsec". Both modules appear to be loaded (checked with lsmods) and I've disabled the firewall so it basically allows everything in, everything out and the forward rule is set the MASQ everything. Still can't connect, it just pauses at verifying password until it gives up.

Is there anything I'm missing? If the modules loaded okay then I suppose my kernel supports GRE, PPTP and all that jazz right? Kernel version is 2.2.16-12 if that helps.

Thanks in advance
Jason.
 
If you were using iptables, I could give you the exact line to add to your firewall script. Is the 2.4 kernel in 7.0? I can't remeber..

But, what you need to do, most likely, is add a rule that forwards protocol 47 through. It's not done automatically by the standard pass-all rules. Protocol 47 is an encryption protocol, i believe also referred to as GRE, but simply forwarding it allows many vpn solutions to work.
 
Kernel 2.2.22 is the latest patch for RedHat 7. Because this is a "appliance" I fear that tinkering too much could break things. This box has a quite a bit of custom software, but 90% is just RedHat so I know it must be possible to do this.

I did add some lines to forward protocol 47 as well as port 1723, but still nothing. All the docs I read make this sound easy once you have a kernel with modules to do it, so I wonder if my kernel really supports PPTP or not. Is it possible that my kernel was built without support for it but would still load the module? Or would it fail to load the module if it didn't support it?
 
RH7.1 was the first version of redhat that introduced the 2.4 series of kernels.

My initial suggestion would be to contact Toshiba's support for this, if they offer it, as they'll know one way or the other whether or not you can do what you want to do without significantly breaking things.

Another thing you could try is to load the 2.4 kernel in beside the 2.2 kernel and see if it will let you still run everything you need to run and allow you to use netfilter instead of ipchains.

However, that's presuming you're ok with kernel compiles. 🙂

On the modules front: If the module exists, support for it was compiled. When you compile a linux kernel, you can select several actions for each option.
1. You can opt not to compile the option.
2. You can compile the specified option AS a module.
3. You can compile the specified option into the kernel directly.

The modules that you load using modprobe use a standard interface, so the only way the kernel would not load a module would be if the module was compiled from a different kernel version. If that happened, you would see error messages, and in 95% of cases, insmod/modprob would fail.
 
Let me first say that Toshiba support on this flat out sucks. I've called them 3 times on different SIMPLE issues and they simply spew "we don't support it" I had to figure out port forwading on my own after they claimed it could not do it. Obviously it's just Linux underneath so almost anything can be done to it and they have the ability to send it upgrades (actually a supported feature!), but they don't ever send down any useful updates.

I don't think Linux 2.4 on there will work, they have lots of built in scripts that setup the firewall and it's all based on IPChains. I'm very confident that moving to kernel 2.4 (with IPTABLES) will completely render this box unusable as it's configured.

The other thing I considered was installing a RedHat RPM kernel patch for kernel 2.2.22, perhaps something in it will kickstart this stuff to work. I'm a software engineer (but Windows is my boat) so compiling code doesn't scare me, but I figure the less risk and added ease of a RPM makes it a better choice for my limited Linux knowledge. I figure kernel 2.2.22 would still allow everything Toshiba has added to function normally.
 
Ok I was able to get RedHat 7.2 on the Magnia and it uses 2.4 kernel. Can anyone tell me what I need to add for VPN now?
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top