From: Peter A. <pal...@co...> - 2004-06-25 04:02:07
|
For some reason I can't seem to open a VNC connection all the way across my ipsec tunnel. I can bring up the connection enter the password fine. The screen then comes up but its all black and then eventually closes the connection. I'm connecting from behind a linux nat firewall that's doing a ipsec tunnel to a netscreen applicance. @ first i thought it was the linux wall nat'ing the ip so i turned off nat but it still won't work. Does anyone have any idea's?? thanks. Peter |
From: Ludo S. <lu...@pr...> - 2004-06-25 06:47:44
|
On Fri, 2004-06-25 at 06:02, Peter Alliett wrote: > For some reason I can't seem to open a VNC connection all the way across > my ipsec tunnel. > > I can bring up the connection enter the password fine. > > The screen then comes up but its all black and then eventually closes > the connection. > I assume that you allow all ports in the 5800-6000 range? (As it's over an ipsec tunnel this should be safe enough. Best to check the MTU/MRU of the connection. What kind of an internet connection do you use? Some form of PPP connection, or other tunneling protocol? If you use ppp try something like the following: #>ip link set dev ppp0 mtu 1400 Greetings, Ludo. > I'm connecting from behind a linux nat firewall that's doing a ipsec > tunnel to a netscreen applicance. > > @ first i thought it was the linux wall nat'ing the ip so i turned off > nat but it still won't work. > > Does anyone have any idea's?? > > thanks. > > Peter > > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel |
From: Peter A. <pal...@co...> - 2004-06-25 12:09:09
|
Its a cable modem connection from home Yes I have allow rules for 5800 - 5900 The MTU on the eth0 device is set to 1500 Thanks, Peter On Fri, 2004-06-25 at 02:47, Ludo Stellingwerff wrote: > On Fri, 2004-06-25 at 06:02, Peter Alliett wrote: > > For some reason I can't seem to open a VNC connection all the way across > > my ipsec tunnel. > > > > I can bring up the connection enter the password fine. > > > > The screen then comes up but its all black and then eventually closes > > the connection. > > > > I assume that you allow all ports in the 5800-6000 range? (As it's over > an ipsec tunnel this should be safe enough. > > Best to check the MTU/MRU of the connection. What kind of an internet > connection do you use? Some form of PPP connection, or other tunneling > protocol? > > If you use ppp try something like the following: > #>ip link set dev ppp0 mtu 1400 > > > Greetings, > Ludo. > > > > > > > I'm connecting from behind a linux nat firewall that's doing a ipsec > > tunnel to a netscreen applicance. > > > > @ first i thought it was the linux wall nat'ing the ip so i turned off > > nat but it still won't work. > > > > Does anyone have any idea's?? > > > > thanks. > > > > Peter > > > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > digital self defense, top technical experts, no vendor pitches, > > unmatched networking opportunities. Visit www.blackhat.com > > _______________________________________________ > > Ipsec-tools-devel mailing list > > Ips...@li... > > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > |
From: Ludo S. <lu...@pr...> - 2004-06-25 12:21:00
|
Could you try to: >ip link set dev eth0 mtu 1400 and try again? As far as I know also some ports about 5900 could be used by VNC. (upto 6000) On Fri, 2004-06-25 at 14:09, Peter Alliett wrote: > Its a cable modem connection from home > > Yes I have allow rules for 5800 - 5900 > > The MTU on the eth0 device is set to 1500 > > Thanks, > > Peter > > > On Fri, 2004-06-25 at 02:47, Ludo Stellingwerff wrote: > > On Fri, 2004-06-25 at 06:02, Peter Alliett wrote: > > > For some reason I can't seem to open a VNC connection all the way across > > > my ipsec tunnel. > > > > > > I can bring up the connection enter the password fine. > > > > > > The screen then comes up but its all black and then eventually closes > > > the connection. > > > > > > > I assume that you allow all ports in the 5800-6000 range? (As it's over > > an ipsec tunnel this should be safe enough. > > > > Best to check the MTU/MRU of the connection. What kind of an internet > > connection do you use? Some form of PPP connection, or other tunneling > > protocol? > > > > If you use ppp try something like the following: > > #>ip link set dev ppp0 mtu 1400 > > > > > > Greetings, > > Ludo. > > > > > > > > > > > > > I'm connecting from behind a linux nat firewall that's doing a ipsec > > > tunnel to a netscreen applicance. > > > > > > @ first i thought it was the linux wall nat'ing the ip so i turned off > > > nat but it still won't work. > > > > > > Does anyone have any idea's?? > > > > > > thanks. > > > > > > Peter > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email sponsored by Black Hat Briefings & Training. > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > > digital self defense, top technical experts, no vendor pitches, > > > unmatched networking opportunities. Visit www.blackhat.com > > > _______________________________________________ > > > Ipsec-tools-devel mailing list > > > Ips...@li... > > > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > > > |
From: Peter A. <pal...@co...> - 2004-06-25 12:33:02
|
Set eth0 and eth1 to 1400 same result Time to dig out tcpdump I guess and see where the packets are going. Whats weird is all the other services work like SSH, telnet, samba Thanks, Peter On Fri, 2004-06-25 at 08:20, Ludo Stellingwerff wrote: > Could you try to: > > >ip link set dev eth0 mtu 1400 > > and try again? > > As far as I know also some ports about 5900 could be used by VNC. (upto > 6000) > > On Fri, 2004-06-25 at 14:09, Peter Alliett wrote: > > Its a cable modem connection from home > > > > Yes I have allow rules for 5800 - 5900 > > > > The MTU on the eth0 device is set to 1500 > > > > Thanks, > > > > Peter > > > > > > On Fri, 2004-06-25 at 02:47, Ludo Stellingwerff wrote: > > > On Fri, 2004-06-25 at 06:02, Peter Alliett wrote: > > > > For some reason I can't seem to open a VNC connection all the way across > > > > my ipsec tunnel. > > > > > > > > I can bring up the connection enter the password fine. > > > > > > > > The screen then comes up but its all black and then eventually closes > > > > the connection. > > > > > > > > > > I assume that you allow all ports in the 5800-6000 range? (As it's over > > > an ipsec tunnel this should be safe enough. > > > > > > Best to check the MTU/MRU of the connection. What kind of an internet > > > connection do you use? Some form of PPP connection, or other tunneling > > > protocol? > > > > > > If you use ppp try something like the following: > > > #>ip link set dev ppp0 mtu 1400 > > > > > > > > > Greetings, > > > Ludo. > > > > > > > > > > > > > > > > > > > I'm connecting from behind a linux nat firewall that's doing a ipsec > > > > tunnel to a netscreen applicance. > > > > > > > > @ first i thought it was the linux wall nat'ing the ip so i turned off > > > > nat but it still won't work. > > > > > > > > Does anyone have any idea's?? > > > > > > > > thanks. > > > > > > > > Peter > > > > > > > > > > > > > > > > ------------------------------------------------------- > > > > This SF.Net email sponsored by Black Hat Briefings & Training. > > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > > > digital self defense, top technical experts, no vendor pitches, > > > > unmatched networking opportunities. Visit www.blackhat.com > > > > _______________________________________________ > > > > Ipsec-tools-devel mailing list > > > > Ips...@li... > > > > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > > > > > > |
From: Peter A. <pal...@co...> - 2004-06-25 12:44:04
|
This is the only thing I see of any relavance 08:33:41.455183 my-outside-ip-addy > 192.168.213.70: icmp: 172.16.4.101 unreachable - need to frag (mtu 1400) [tos 0xc0] Thanks, Peter On Fri, 2004-06-25 at 08:20, Ludo Stellingwerff wrote: > Could you try to: > > >ip link set dev eth0 mtu 1400 > > and try again? > > As far as I know also some ports about 5900 could be used by VNC. (upto > 6000) > > On Fri, 2004-06-25 at 14:09, Peter Alliett wrote: > > Its a cable modem connection from home > > > > Yes I have allow rules for 5800 - 5900 > > > > The MTU on the eth0 device is set to 1500 > > > > Thanks, > > > > Peter > > > > > > On Fri, 2004-06-25 at 02:47, Ludo Stellingwerff wrote: > > > On Fri, 2004-06-25 at 06:02, Peter Alliett wrote: > > > > For some reason I can't seem to open a VNC connection all the way across > > > > my ipsec tunnel. > > > > > > > > I can bring up the connection enter the password fine. > > > > > > > > The screen then comes up but its all black and then eventually closes > > > > the connection. > > > > > > > > > > I assume that you allow all ports in the 5800-6000 range? (As it's over > > > an ipsec tunnel this should be safe enough. > > > > > > Best to check the MTU/MRU of the connection. What kind of an internet > > > connection do you use? Some form of PPP connection, or other tunneling > > > protocol? > > > > > > If you use ppp try something like the following: > > > #>ip link set dev ppp0 mtu 1400 > > > > > > > > > Greetings, > > > Ludo. > > > > > > > > > > > > > > > > > > > I'm connecting from behind a linux nat firewall that's doing a ipsec > > > > tunnel to a netscreen applicance. > > > > > > > > @ first i thought it was the linux wall nat'ing the ip so i turned off > > > > nat but it still won't work. > > > > > > > > Does anyone have any idea's?? > > > > > > > > thanks. > > > > > > > > Peter > > > > > > > > > > > > > > > > ------------------------------------------------------- > > > > This SF.Net email sponsored by Black Hat Briefings & Training. > > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > > > digital self defense, top technical experts, no vendor pitches, > > > > unmatched networking opportunities. Visit www.blackhat.com > > > > _______________________________________________ > > > > Ipsec-tools-devel mailing list > > > > Ips...@li... > > > > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > > > > > > |
From: Peter A. <pal...@co...> - 2004-06-26 00:36:01
|
I got it w00t. Had to add the following iptables rule iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu On Fri, 2004-06-25 at 08:20, Ludo Stellingwerff wrote: > Could you try to: > > >ip link set dev eth0 mtu 1400 > > and try again? > > As far as I know also some ports about 5900 could be used by VNC. (upto > 6000) > > On Fri, 2004-06-25 at 14:09, Peter Alliett wrote: > > Its a cable modem connection from home > > > > Yes I have allow rules for 5800 - 5900 > > > > The MTU on the eth0 device is set to 1500 > > > > Thanks, > > > > Peter > > > > > > On Fri, 2004-06-25 at 02:47, Ludo Stellingwerff wrote: > > > On Fri, 2004-06-25 at 06:02, Peter Alliett wrote: > > > > For some reason I can't seem to open a VNC connection all the way across > > > > my ipsec tunnel. > > > > > > > > I can bring up the connection enter the password fine. > > > > > > > > The screen then comes up but its all black and then eventually closes > > > > the connection. > > > > > > > > > > I assume that you allow all ports in the 5800-6000 range? (As it's over > > > an ipsec tunnel this should be safe enough. > > > > > > Best to check the MTU/MRU of the connection. What kind of an internet > > > connection do you use? Some form of PPP connection, or other tunneling > > > protocol? > > > > > > If you use ppp try something like the following: > > > #>ip link set dev ppp0 mtu 1400 > > > > > > > > > Greetings, > > > Ludo. > > > > > > > > > > > > > > > > > > > I'm connecting from behind a linux nat firewall that's doing a ipsec > > > > tunnel to a netscreen applicance. > > > > > > > > @ first i thought it was the linux wall nat'ing the ip so i turned off > > > > nat but it still won't work. > > > > > > > > Does anyone have any idea's?? > > > > > > > > thanks. > > > > > > > > Peter > > > > > > > > > > > > > > > > ------------------------------------------------------- > > > > This SF.Net email sponsored by Black Hat Briefings & Training. > > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > > > digital self defense, top technical experts, no vendor pitches, > > > > unmatched networking opportunities. Visit www.blackhat.com > > > > _______________________________________________ > > > > Ipsec-tools-devel mailing list > > > > Ips...@li... > > > > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > > > > > > |