LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-02-2004, 02:20 PM   #1
Lhadatt
LQ Newbie
 
Registered: Dec 2004
Distribution: Slackware
Posts: 2

Rep: Reputation: 0
PPTP VPN server - can't cross subnets


I'm putting together a PPTP VPN server using Slackware Linux 9 and PoPToP. The goal is to allow Windows users to login to the LAN via the Internet. The PPTP server is hosted on a firewall using Shorewall 2 (front-end for iptables).

Problem: I can get it to connect and communicate with the subnet the PPTP hands out IPs for, but it won't communicate with any other subnet.

The server:

- Internet: 192.168.1.1 (for testing) on eth0
- LAN: 10.1.10.0 via eth1 - actual IP is 10.1.10.93
- DMZ: 10.2.10.0 via eth2 - actual IP is 10.2.10.93
- PPTP hands out 10.3.10.2 - 10.3.10.254 to clients
- VPN "local" IP on server: 10.3.10.1

The client:

- Windows 2000 Pro
- Local IP is 192.168.1.2
- Gateway is set to 192.168.1.1 (the server)
- Receives 10.3.10.x from server
- Subnet mask for 10.3.10.x is 255.255.255.255 -- standard for PPTP, I don't think this can change, but I'm still researching that

I think the firewall is basically OK, but might need some tweaking on the masquerading entries or something. The important thing to note with the firewall is it does allow connections, and this issue persists even if the firewall is turned off.

The clients CAN ping 10.1.10.93 and 10.2.10.93, since they are on that server. I believe the issue is route-related -- I don't know what routes to put in though, and whether they should be on the server or client. The server has no problem communicating with anything on any subnet, it's just the client.

My masq entries in Shorewall:
Code:
#INTERFACE              SUBNET          ADDRESS
eth0                    eth1
eth0                    eth2
#ppp0            eth1
#ppp0            eth2
#ppp0:10.1.10.0/24   10.3.10.0/24    10.1.10.93
eth0            ppp0
The interfaces file in Shorewall:
Code:
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0          detect   routefilter,blacklist
loc     eth1    detect  dhcp,blacklist,routeback
dmz     eth2    detect  dhcp
vpn     ppp0    -
/etc/pptpd.conf:
Code:
option /etc/ppp/options-pptpd
localip 10.3.10.1
remoteip 10.3.10.2-254
/etc/ppp/options-pptpd:
Code:
name   *
lock
mtu     1450
mru     1450
proxyarp
defaultroute
auth
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure    3
lcp-echo-interval   5
deflate 0

# dns and samba
ms-dns  10.2.10.7

# handshake auth method
+chap
+mschap-v2

# data encryption method
mppe required
Please let me know if you would like to see anything else. Does anyone have any ideas?

Thanks!
 
Old 12-02-2004, 02:50 PM   #2
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
If I understand your post correctly, the problem is this -- The client's default gateway is 192.168.1.1. It's VPN IP is 10.3.10.x. The problem is when you're trying to communicate with another subnet (i.e. *not 10.3.10.x), you're going out over 192.168.1.1. Since 10.0.0.0/8 is non-routable to the public 'net, your packets go off into the void

The client's default route needs to change to 10.3.10.1 (if that machine is set to forward) for the duration of the pptp session.

Last edited by sigsegv; 12-02-2004 at 02:52 PM.
 
Old 12-02-2004, 04:52 PM   #3
Lhadatt
LQ Newbie
 
Registered: Dec 2004
Distribution: Slackware
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks for the reply.

I tried that, it didn't work. I don't quite know what's going on, but I'll try to brainstorm on it tomorrow.
 
Old 12-02-2004, 05:11 PM   #4
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
What do the routing tables look like? Run netstat -rn on the linux machine and route print on the windows box (scrubbing public IPs as necessary) and post them back here.
 
Old 12-02-2004, 05:42 PM   #5
scowles
Member
 
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620

Rep: Reputation: 31
Looks like you're trying to masquerade vpn traffic when you want the firewall to simply route vpn traffic after it encodes/decodes the packet. In my setup (shorewall/poptop running on the firewall):

I add the pptpserver entry to the shorewall tunnels file. i.e.
Code:
pptpserver            net     0.0.0.0/0
...and
Code:
loc     ppp+            -
to the shorewall interfaces file.

I do not reference the vpn traffic/intefaces in the shorewall masq file.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ldap integration with pptp vpn server saneeha Linux - Networking 1 04-09-2011 01:46 AM
VPN configuration pptp ssfrstlstnm Linux - Networking 5 05-02-2005 03:53 AM
Vpn, Pptp???? ABL Linux - Networking 3 03-11-2005 04:54 PM
PPTP (VPN) server: authentication options (Radiut / Chap-secrets / ldap/..) ? aa_tango Linux - Wireless Networking 0 05-27-2004 09:47 AM
VPN Server [mgetty (Dialin) + PPTP] <-> [Client WindowsXP] ingram Linux - Newbie 4 09-21-2003 12:52 PM


All times are GMT -5. The time now is 11:28 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration