VPN outbound problems
First make sure port 1723 is open on the machine you want to connect to On the router using tcpdump -i eth0 host WINDOWSIP and not port 22 and not port 80 on the router (where eth0 is the INTERNAL interface) try to make the connection and look at the data. If you're sending and recieving lots of packets but the final ACKs aren't completing from the remote machine Check if ip masquerading is on /etc/init.d/ipmasq start If there's outgoing traffic to the remote machine but none coming back make sure ip forwarding is allowed echo "1" > /proc/sys/net/ipv4/ip_forward will allow outbound vpn connections. If you do that make sure echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter as well
The router needs to be able to forward port 1723 and 500 traffic. This is usually done with the firewall and ip masquerading. It also needs to be able to forward gre (PPTP - Microsoft) and esp (IPSEC - Cisco) packets.
this site has some examples how to connect using iptables iptables -A INPUT -p gre -j ACCEPT iptables -A OUTPUT -p gre -j ACCEPT iptables -A INPUT -p esp -j ACCEPT iptables -A OUTPUT -p esp -j ACCEPT
- The remote firewall: the firewall at the server end must allow a system with the IP address assigned to your Linux box by your ISP to connect to port 500/udp on the IPsec host or port 1723/tcp on the PPTP server. If you had the VPN working when your VPN client system directly dialled your ISP then this probably is not the problem.
- The server firewall and ESP: the IPsec encrypted data is carried over IP protocol 50. If the firewall the remote IPsec host is behind does not forward ESP traffic in both directions, IPsec will not work. Again, if you had IPsec working when your IPsec client system directly dialled your ISP then this probably is not the problem.
- The server firewall and GRE: the PPTP data channel is carried as a GRE-encapsulated (IP protocol 47) PPP session. If the firewall your PPTP server is behind does not forward GRE traffic in both directions, PPTP will not work. Again, if you had PPTP working when your PPTP client system directly dialed your ISP then this probably isn't the problem.