IP forwarding not working on ppp-over-ssh vpn

tingdahl · 08-27-2004, 05:41 AM

Hello,

I have a vpn (ppp-over-ssh) between our main office (192.168.0.0, nm 255.255.255.0) and a smaller one (192.168.2.0, nm 255.255.255.0). The vpn works perfect for the machine (192.168.2.10) that it is connected on, but I want the other machines (e.g.192.168.2.12) in the small office to have access to the main office's net.

The vpn-client-machine has the following ifconfig & routing table:

Code:

eth0      Link encap:Ethernet  HWaddr 00:50:04:ED:9E:FD
          inet addr:192.168.2.10  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::250:4ff:feed:9efd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4416126 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4759050 errors:0 dropped:0 overruns:0 carrier:0
          collisions:525560 txqueuelen:100
          RX bytes:2877777834 (2744.4 Mb)  TX bytes:3338851074 (3184.1 Mb)
          Interrupt:5 Base address:0x8000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:17448 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17448 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:59857493 (57.0 Mb)  TX bytes:59857493 (57.0 Mb)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:192.168.207.254  P-t-P:192.168.207.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:27270 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30003 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:2317953 (2.2 Mb)  TX bytes:2552105 (2.4 Mb)

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.207.1   *               255.255.255.255 UH    0      0        0 ppp0
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0
192.168.0.0     192.168.207.254 255.255.255.0   UG    0      0        0 ppp0
default         192.168.2.2     0.0.0.0         UG    0      0        0 eth0

And ipforwarding is turned on:
# cat /proc/sys/net/ipv4/ip_forward
1

The other machines at the small office are configured to route everything going to the main offiice via the vpn-client machine:

Code:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0
192.168.0.0     192.168.2.10    255.255.0.0     UG    0      0        0 eth0
default         192.168.2.2     0.0.0.0         UG    0      0        0 eth0

When I do a trace-route, it goes to the vpn-machine, but not any further:

# traceroute 192.168.0.32
traceroute to 192.168.0.32 (192.168.0.32), 30 hops max, 40 byte packets
1 dgb10.dgbsweden (192.168.2.10) 0.595 ms 0.433 ms 0.484 ms
2 * * *
...
30 * * *
#

When I do the same from the vpn-machine, it works:

#traceroute to 192.168.0.32 (192.168.0.32), 30 hops max, 40 byte packets
1 192.168.207.1 52.422 ms 107.896 ms 104.974 ms
2 dgb32.dgb (192.168.0.32) 102.001 ms 99.144 ms 96.193 ms

I have no firewalls on the machines.

Does anyone have a clue what could be wrong?

J_Szucs · 08-27-2004, 07:34 AM

I think the route on the vpn machine to the remote 192.168.0.0/24 network should point to the remote end of the ppp link, i.e. the correct gateway should be 192.168.207.1 (supposed that 192.168.207.1 is the IP of the remote end of the ppp link).

Edit:
An other reason may be that the route to the local 192.168.2.0/24 network is missing at the remote end of the vpn link. (Thus your requests reach machines on the remote (192.168.0.0/24) network, but the replies are not routed back). Have you checked the routing table of the remote vpn machine?

arno · 08-27-2004, 10:47 AM

You subnet
192.168.0.0 192.168.2.10 255.255.0.0
should be
192.168.0.0 192.168.2.10 255.255.255.0

J_Szucs · 08-27-2004, 06:31 PM

Quote:

You subnet 192.168.0.0 192.168.2.10 255.255.0.0
should be 192.168.0.0 192.168.2.10 255.255.255.0

You are right, that is an error for sure.

However, I think there must be some other error, too, as the routing towards the remote 192.168.0.0/24 network is accidentally not affected by that netmask error: all packages sent from a local client to the remote, 192.168.0.0/24 network are still routed to the correct gateway (192.168.2.10), and all packages coming from the remote network are routed on the local gateway, where the routing table is free of this error, so those packages are correctly routed to the local clients, too.
So, I think this error cannot be the only reason why traceroute does not work.

However, I must admit that I am not a network guru, so I may be wrong.