IPCop.org FAQs (frequently-asked questions)

A VPN is a Virtual Private Network.

It is a way of allowing computers that aren't really directly connected to the same network to pretend that they are. The basic idea is that you have two IPCop computers, very far away from each other, that need to be connected as if they were all one network.

The traffic that travels over VPN is all encrypted, so it's very secure.

A most excellent VPN document is here: IPCopVPNHowto

With a VPN, you can access other machines across the internet as if they were on the same lan segment as your own. The traffic travelling across the internet is encrypted.

There are two sources for help with ipsec, IPCop's VPN. Obviously, the first choice would be the IPCop user mailing list. SuperFreeS/WAN is an open source project, too. Check its web site for support.

In many cases, you should get complete documentation for your problem. Log in to your IPCop as root and issue the following command:

ipsec barf > /tmp/problem.txt

This will dump everything about ipsec to the file /tmp/problem.txt.

Use scp or pscp from another machine to copy the file to it and include it in your email. You may need to do this on both sides of your VPN.

Have a look at the VPN HowTo at http://www.ipcop.org/1.2.0/en/vpn/html/

The built in VPN in IPCop will start automatically when both ends of the connection are available.

Microsoft's PPTP software is rather buggy and insecure, you should make sure that you have applied all the service packs and hotfixes to all the computers before starting this.

Using the IPCop web interface forward port 1723 to the IP of your PPTP server.

Then log into the firewall command line interface and run: ipfwd --masq 47 & (eg ipfwd --masq 10.0.0.2 47 & ).

To make the second change permanent add the ipfwd command to the end of /etc/rc.d/rc.network file.

Use the IPCop web interface to forward port tcp/1723 to the IP of your PPTP server. Then forward the GRE protocol to your PPTP server also using the web interface. That's it!

Unanswered, but suggested question

Have a look at http://jixen.tripod.com/

There is a fairly complicated HOWTO at VPN.EBOOTIS.DE, but Darren Critchley has added a detailed explanation of how to connect a Win2K (or XP) client to IPCop to the IPCopVPNHowto page.

To run an IPSEC client with ip masq you have to enable IPSec passthrough on your IPCop.- Use your browser to log in to your IPCop as the "admin" user and then go to the VPNs web page. Enable IPSec passthrough in the Global settings section.

(Note this only applies to IPCop version 1.2. This feature is gone in newer versions as the 2.4 kernels don't have an option to pass through IPSec traffic).

Marcus Loeken suggested the solution below, after searching the web and finding this post with a helpful solution. RickNSD wrote a interesting answer (the question was about using a D-Link router), linked to this page on D-Link's website...

I too just resolved my Nortel Contivity 4.6 w/ D-link 764 (802.11 a & b) issue. I used
the resolution listed at d-link specifically for the Contivity Client
http://support.dlink.com/faq/view.asp?prod_id=1153&question=DI-614+

Two things I did differently:
1) Had to make sure the EACfilt driver was bound/checked to each NIC using the Contivity
Client.
2) To avoid having to use only 1 client as a virtual server, I made firewall entries
directly instead, as follows:

Read L to R as Source then Destination
Allow VPN -9550 WAN,(IP range of contivity switches) LAN,* UDP,9550
Allow VPN -9550 WAN,( IP range of contivity switches) LAN,* TCP,9550
Allow VPN -1723 WAN, ,( IP range of contivity switches) LAN,* TCP,1723
Allow VPN -1723 LAN,* WAN, ,( IP range of contivity switches) TCP,1723
Allow VPN -500 LAN,* WAN, ,( IP range of contivity switches) UDP,500
Allow VPN -500 WAN, ,( IP range of contivity switches) LAN,* UDP,500

I followed all other instructions on the d-link document. The Contivity Client did have
the 'disable keepalives 'checked and with group authentication.

My VPN connection flies now (used to have an SMC barricade 7004AWBR) and have no issues
with the configuation so far.

Hope this helps someone.

So Marcus added some ports to the portforwarding section of his IPCop (ver. 1.2.0), and now it looks like this:

UDP DEFAULT IP 500 192.168.63.100 500
UDP DEFAULT IP 9550 192.168.63.100 9550
TCP DEFAULT IP 9550 192.168.63.100 9550
TCP DEFAULT IP 1723 192.168.63.100 1723

The 192.168.63.100 is the IP of his laptop. And he says "now it works!!! I can connect with the Nortel Contivity client ver. 4.7!"

Thanks Marcus :)

-- EricOberlander - 05 May 2003

This worked with SecureClient NG Feature Pack 3 HF 1 (build 53515). Attempts with Feature Pack 2 haven't been successful.

Use your browser to log in to your IPCop as the "admin" user and then go to the VPNs web page. Set the Local VPN IP to the computer running SecureClient and check Enable. Save your changes.

On the Services->Port forwarding page add the following rule:

Protocol: UDP
Source port: 2746
Destination port: 2746
Destination IP: (your SecureClient PC)

For better security, set source IP to the address of your VPN gateway. This can be determined by trying to connect to the VPN server before enabling the port forwarding above. Your firewall log will show several connection attempts from the VPN gateway to port 2746 on your red interface.

Thanks to Dag Christensen - 01 Jul 2003