Re: x11 or x-windows over Cisco VPN

raymng · ‎02-18-2003

In my evnrionment, I use Concentrator 3k and Cisco VPN client 3.5.x for VPN connection. My users have problem using x11 from remote workstations (x11-server) to UNIX servers (x11-client) in the inside network. From my sniffer capture and firewall log (CheckPoint FW1), the issue is related to the virtual IP of the workstation assigned to the VPN client and the real/physical IP of the workstation (VPN Client).

First, workstation send XDMCP (udp-177) to the internal server (x11-client) using the VPN ip address. Multiple XDMCP traffic then going back and forth between the workstation and the server. Then, the server (as expect) initiates x11 (tcp 6000) session to the workstation. Yet, this time the server (x11-client) is using the workstation 's physical IP address instead of the VPN 's IP. As the result, the connection can't be established (drop/reject by the workstation).

Would anyone have any suggestions on this issue? FYI, the x-windows product we uses is called "Exceed v6", don't know if this makes a difference.

Thanks.

-Raymond Ng

sailingd · ‎02-18-2003

I would suggest not using X11 by itself. Using an ssh client to connect into the server with X11 forwarding enabled, you should never have to worry about this problem again. It will set the display variable accordingly. Also, it has the added benefit of allowing you to close port 6000 from listening on your servers since all X11 communication is done through the secure tunnel. Once you get it set up, you'll never want to go back.

raymng · ‎02-18-2003

Thanks, but I am afraid that this is not an option in my environment.

-raymond