RE: [squid-users] Squid and VPN, not working!!!

From: Mark Tinka <aknit44@dont-contact.us>
Date: Sun, 7 Oct 2001 23:40:59 -0700 (PDT)

hi ...

even with the Squid IPs specified in the client's browser, i still get the same error... we have been sniffing the connection, and it looks like we are getting large packets from yahoo.com.. but then, instead of squid sending the request to fragment the packets to smaller sizes, it seems like the client is directly talking to yahoo.com to fragment the packets, and yahoo.com is going like.. "hey, i don't know you, what are you saying.." and closes the connection.. we then see several re-transmissions after that....

even without squid, we do get some re-transmissions, and requests to fragment the packets size, but that's because the client is the one the "directly" contacted yahoo.com before, and not squid...

we have tried to adjust MTU on the cisco, Linux server and Win2k server, but to no avail.. any help will be appreciated... thanks..

AKNIT

--- "Stuart Low" <thedude@perlboy.org>
> wrote:
>MMM,
>
>So you loop back from the Cisco router to the squid proxy?
>
>Now if you disabled the transparent redirect and specify the squid proxy
>directely on the Windows 98 machine does it work? If so then what you have
>is squid TRYING to get out but it keeps looping back to itself (cause the
>Cisco router is what it gets its connection through)..
>
>So basically you get;
>
>Windows 98 ---> Cisco --> Squid ---> Cisco --> Outside
>
>But instead u have
>
>Windows 98 --> Squid ---> Cisco --> Squid --> Cisco
>
>In an endless loop, make sure you have specified that the redirect rule does
>not incorporate the squid box itself.
>
>How's that?
>
>Stuart
>
>---
>Perlboy Productions - www.Perlboy.org
>ABN: 24 405 136 795
>Blogger for the Masses - www.Seekbrain.com
>
>
>
>> -----Original Message-----
>> From: Mark Tinka [mailto:aknit44@globenetcafe.net]
>> Sent: Sunday, October 07, 2001 10:04 PM
>> To: squid-users@squid-cache.org
>> Subject: [squid-users] Squid and VPN, not working!!!
>>
>>
>> hi list... how u all doing...
>>
>> well, i have quite a complicated situation.. i am setting up a
>> connection to the internet using a VPN tunnel, and RADIUS.. here
>> is the network layout...
>>
>> 1. requesting user with Windows 98 VPN client
>>
>> 2. pass-thru via multi-homed Windows 2000 Server running Remote
>> Access Server and Routing VPN server, connected to Windows 98
>> segment and Linux masquerader segment
>>
>> 3. authenticated by RADIUS server located on the Windows 2000
>> Server and masquerader segment
>>
>> 3. masqueraded thru a linux box using IPChains and two network
>> cards onto the public internet
>>
>> 4. connection to the cisco router gateway and then redirected
>> back to squid server, transparently....
>>
>> now, here is how it works... a user on the Windows 98 box
>> launches MS-VPN client which is configured to connect to the
>> Windows 2000 Server box.. the Win2k box then uses its Remote
>> Access and Routing server to send Radius Auth and Accounting
>> packets to the RADIUS server on its second network interface...
>>
>> the authentication goes well, and the Windows 98 user is
>> authenticated and connected, then assigned an IP on the Linux
>> masquerader network, effectively using VPN to localise the user....
>>
>> now, when it comes to using the internet, the Windows 98 user can
>> connect to all local web servers and other non-HTTP services
>> anywhere.. the problem comes when the user sends an HTTP request
>> to a non-local domain, such as www.yahoo.com or www.cnn.com...
>> the user can resolve the domain name, and connect to the site,
>> but can't download any content.. the connection just sits there,
>> hanging, and waiting, and nothing happens....
>>
>> we had a feeling it might have something to do with squid, so we
>> disabled the transparent redirect on the router, and voila, we
>> were able to connect, albeit without squid, which meant a little
>> slower... when we re-enabled squid, we got the same problem again....
>>
>> upon running sniffer, we saw that the windows 98 box makes
>> several re-transmissions.... and then becomes considered an
>> un-responsive station....
>>
>> could anyone have any idea why this connection doesn't work with
>> the squid enabled...?.. even with squid IPs defined in the
>> browser, same problem... does the IP change squid does to the
>> packet make the return packet null and void to the windows 98 user..?..
>>
>> all help will be appreciated.. thanks...
>>
>> AKNIT
>>
>> _____________________________________________________________
>> Be different Get yourself a Globenetcafe.net email ID
>> Uganda's Newest internet cafe www.globenetcafe.net
>>

_____________________________________________________________
Be different Get yourself a Globenetcafe.net email ID
Uganda's Newest internet cafe www.globenetcafe.net
Received on Mon Oct 08 2001 - 00:41:05 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:37 MST