标签存档: vpn

要让VPN通过的话防火墙必须打开哪些端口?

1) If RRAS based VPN server is behind a firewall (i.e. a firewall is placed between Internet and RRAS server), then following ports need to be opened (bidirectional) on this firewall to allow VPN traffic to pass through: –

  • For PPTP:
    • IP Protocol=TCP, TCP Port number=1723   <- Used by PPTP control path
    • IP Protocol=GRE (value 47)   <- Used by PPTP data path
  • For L2TP:
    • IP Protocol Type=UDP, UDP Port Number=500    <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500   <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=ESP (value 50)   <- Used by IPSec data path
  • For SSTP:
    • IP Protocol=TCP, TCP Port number=443   <- Used by SSTP control and data path
  • For IKEv2:
    • IP Protocol Type=UDP, UDP Port Number=500    <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500   <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=ESP (value 50)   <- Used by IPSec data path

2) If RRAS server is directly connected to Internet, then you need to protect RRAS server from the Internet side (i.e. only allow access to the services on the public interface that isaccessible from the Internet side). This can be done using RRAS static filters or running Windows Firewall on the public interface (or the interface towards the Internet side). In this scenario following ports need to be opened (bidirectional) on RRAS box to allow VPN traffic to pass through

    • For PPTP:
      • IP Protocol=TCP, TCP Port number=1723  <- Used by PPTP control path
      • IP Protocol=GRE (value 47)  <- Used by PPTP data path
    • For L2TP:
      • IP Protocol Type=UDP, UDP Port Number=500   <- Used by IKEv1 (IPSec control path)
      • IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)
      • IP Protocol Type=UDP, UDP Port Number=1701  <- Used by L2TP control/data path
      • IP Protocol Type=50  <- Used by data path (ESP)
  • For SSTP:
  • IP Protocol=TCP, TCP Port number=443   <- Used by SSTP control and data path
  • For IKEv2:
  • IP Protocol Type=UDP, UDP Port Number=500   <- Used by IKEv2 (IPSec control path)
  • IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path)
  • IP Protocol Type=UDP, UDP Port Number=1701  <- Used by L2TP control/data path
  • IP Protocol Type=50 <- Used by data path (ESP)

Note: Please DO NOT configure RRAS static filters if you are running on the same server RRAS based NAT router functionality. This is because RRAS static filters are stateless and NAT translation requires a stateful edge firewall like ISA firewall.

Do not forget: If you enable Windows firewall or RRAS static filters on the public interface and only enable VPN traffic to pass-through, then all the other traffic may be dropped. For example, if the same server is running as a mail server facing internet or a DNS server or a reverse web proxy server, then you need to enable the ports used by those services explicitly. For further details, refer to this article: http://blogs.technet.com/rrasblog/archive/2006/07/06/enabling-rras-drops-all-other-traffic-except-vpn-traffic.aspx

Ref: https://blogs.technet.microsoft.com/rrasblog/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through/

另外如果L2TP服务器是在防火墙背后的话,Mac可以连,但是Win连不了。这个时候需要改Win的注册表:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

Ref : http://support.microsoft.com/kb/926179

在Linux下面安装VPN SERVER [原创]

在Linux下面安装VPN SERVER

在Linux下面安装VPN SERVER的话,需要用到pptpd这个包。http://www.poptop.org
Poptop is the PPTP server solution for Linux. Ports also exist for Solaris 2.6, OpenBSD, FreeBSD and others.

1.  如果Linux的内核版本低于2.6.15-rc1的话,你必须在kernel中加入MPPE的支持。一些内核里面已经包含了MPPE的支持。你可以使用  modprobe ppp-compress-18 && echo ok 来测试是否已经安装。
如果kernel中没有MPPE的支持,则必须安装MPPE的支持:下载最新的DKMS RPM和kernel_ppp_mppe RPM。下载地址:new MPPE module builder, http://sourceforge.net/project/showfiles.php?group_id=44827&package_id=120221

2. 升级PPP到2.4.3以上:
http://sourceforge.net/project/showfiles.php?group_id=44827&package_id=118989

3. 安装最新的pptpd rpm:
http://sourceforge.net/project/showfiles.php?group_id=44827&package_id=51373

4. 配置文件:
/etc/module.conf 2001年以前发布的Redhat Linux有这个文件
/etc/pptpd.conf – 主要配置文件,配置VPN地址等。
/etc/ppp/options.pptpd
/etc/ppp/chap-secrects – 用户名/密码

5. 启动Service: service pptpd start

6. 连接

打开IP路由:/etc/sysctl.conf
Net.ipv4.ip_forward = 1

大功告成

dkms-2.0.6-1.noarch.rpm
dkms-2.0.6-1.src.rpm
gcc-3.4.4-2.i386.rpm
glibc-devel-2.3.4-2.13.i386.rpm
glibc-headers-2.3.4-2.13.i386.rpm
glibc-kernheaders-2.4-9.1.98.EL.i386.rpm
kernel-devel-2.6.9-22.EL.i686.rpm
kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
kernel_ppp_mppe-1.0.2-3dkms.src.rpm
ppp-2.4.3-5.rhel4.i386.rpm
pptp-1.7.0-1.i386.rpm
pptpd-1.2.3-1.i386.rpm
pptpd-1.3.0-0.i386.rpm

G0dspeed原著