Re: [squid-users] Squid and VPN, not working!!!

hey Torsten, thanks alot for the tips..

i have modified the MTU option in my /proc partition on the Linux, and i will say that there some improvement.. the only problem is that i can't seem to download some web sites, and some web sites fully.. for instance, i can only download part of the main yahoo.com page, but can read my e-mail on the mail.yahoo.com pages....

also, i can download the cnn.com page, but it hangs when trying to download the main graphics.. same thing for google.com .. basically, your advice helped us alot.. i can see we are headed in the right direction.. there's just something we are missing now... just can't seem to place my fingers on it.. we are guessing maybe something with the Win2k VPN concentrator.. but i can't seem to find any option in this server similar to what you suggested to be done in the squid...

the hunt continues.. and i appreciate all the help you have given thus far.. if anything pops up, please let me know...

thanks.. AKNIT

--- Torsten.Lange@GECITS-EU.COM
> wrote:
>
>
>Hi Aknit,
>
>I've had quite a similar issue with a VPN user not being able to connect
>through my squids.
>
>In the end the problem was that the client and the VPN concentrator somehow
>messed up
>the MTUs, especially one option called 'IP path MTU discovery'.
>
>The final solution was to disable IP path MTU discovery on the squid boxes
>and it worked.
>
>If your squid is running on Linux, please try:
>
>echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
>if there is such a file in your proc fs... - or look for something similar.
>
>Torsten
>
>
>
>
>
>aknit44@globenetcafe.net on 07.10.2001 13:03:33
>
>Please respond to aknit44@globenetcafe.net
>
>To: squid-users@squid-cache.org
>cc:
>Subject: [squid-users] Squid and VPN, not working!!!
>
>
> --------------------------------------------------------------------------
>
>
>
>hi list... how u all doing...
>
>well, i have quite a complicated situation.. i am setting up a connection
>to the internet using a VPN tunnel, and RADIUS.. here is the network
>layout...
>
>1. requesting user with Windows 98 VPN client
>
>2. pass-thru via multi-homed Windows 2000 Server running Remote Access
>Server and Routing VPN server, connected to Windows 98 segment and Linux
>masquerader segment
>
>3. authenticated by RADIUS server located on the Windows 2000 Server and
>masquerader segment
>
>3. masqueraded thru a linux box using IPChains and two network cards onto
>the public internet
>
>4. connection to the cisco router gateway and then redirected back to squid
>server, transparently....
>
>now, here is how it works... a user on the Windows 98 box launches MS-VPN
>client which is configured to connect to the Windows 2000 Server box.. the
>Win2k box then uses its Remote Access and Routing server to send Radius
>Auth and Accounting packets to the RADIUS server on its second network
>interface...
>
>the authentication goes well, and the Windows 98 user is authenticated and
>connected, then assigned an IP on the Linux masquerader network,
>effectively using VPN to localise the user....
>
>now, when it comes to using the internet, the Windows 98 user can connect
>to all local web servers and other non-HTTP services anywhere.. the problem
>comes when the user sends an HTTP request to a non-local domain, such as
>www.yahoo.com or www.cnn.com... the user can resolve the domain name, and
>connect to the site, but can't download any content.. the connection just
>sits there, hanging, and waiting, and nothing happens....
>
>we had a feeling it might have something to do with squid, so we disabled
>the transparent redirect on the router, and voila, we were able to connect,
>albeit without squid, which meant a little slower... when we re-enabled
>squid, we got the same problem again....
>
>upon running sniffer, we saw that the windows 98 box makes several
>re-transmissions.... and then becomes considered an un-responsive
>station....
>
>could anyone have any idea why this connection doesn't work with the squid
>enabled...?.. even with squid IPs defined in the browser, same problem...
>does the IP change squid does to the packet make the return packet null and
>void to the windows 98 user..?..
>
>all help will be appreciated.. thanks...
>
>AKNIT
>
>_____________________________________________________________
>Be different Get yourself a Globenetcafe.net email ID
>Uganda's Newest internet cafe www.globenetcafe.net

_____________________________________________________________
Be different Get yourself a Globenetcafe.net email ID
Uganda's Newest internet cafe www.globenetcafe.net
Received on Mon Oct 08 2001 - 01:54:57 MDT