LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   VPN Client can't get to IPSec connected network (https://www.linuxquestions.org/questions/linux-networking-3/vpn-client-cant-get-to-ipsec-connected-network-948599/)

zhjim 06-05-2012 05:46 AM
VPN Client can't get to IPSec connected network
 
Hi folks,

I'm having a problem with VPN Clients connecting to a host all fine but they can't connect to other host that are connected through IPSec tunnels.
Code:
VPN-Client =====vpn=====serving host=====ipsec=====other_host
(192.168.138.3)      (192.1268.138.1)            10.127.48.1
                      (10.127.224.101)
                      (10.127.225.101)
[VPN Client]
So the connecting client has the set-default-route option set so that all traffic to unkown location go through the vpn tunnel. I can ping and connect to services on the remote site of the vpn-tunnel all fine. (192.168.138.1, 10.127.224.101, 10.127.225.101).

[Serving Host]
From the serving host I can ping and connect in all directions (192.168.138.3, 10.127.48.1 external IP's)

[other host]
I can as well ping through the IPSec tunnel from 10.127.48.1 to the serving host.

[Problem]
The problem is I just can't go through the serving host to either site. I always get an "host unreachable" message when trying to ping. Which I interpret as the route from 192.168.138.0/24 to 10.127.48.0/24 is not allowed or accesible. ip neighb also shows the connection to 10.127.48.1 as failed and a tcpdump only shows the returning package.

To not make it easy at all there are numerous nat rules implied.
Maybe someone can give me a hint where to look for the show stopper. If I missed on any information I'l glady add them. Thanks in advance

Here the routes of the VPN Server with the ipsec tunnels
Code:
default via 10.127.225.1 dev eth0  proto zebra
10.127.16.0/20 dev eth0  scope link  src 10.127.224.101
10.127.36.0/24 dev eth0  scope link  src 10.127.224.101
10.127.48.0/24 dev eth0  scope link  src 10.127.224.101
10.127.224.0/24 dev eth2  proto kernel  scope link  src 10.127.224.101
10.127.225.0/24 dev eth0  proto kernel  scope link  src 10.127.225.101
10.127.226.0/24 via 10.127.224.1 dev eth2  proto zebra
127.0.0.0/8 dev lo  proto kernel  scope link  src 127.0.0.1
192.168.138.0/24 dev vtun0  proto kernel  scope link  src 192.168.138.1
NAT Rules
Code:
# Generated by iptables-save v1.4.10 on Tue Jun  5 12:43:14 2012
*nat
:PREROUTING ACCEPT [251:18399]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [692:52626]
:POSTROUTING ACCEPT [761:57685]
:VYATTA_PRE_DNAT_HOOK - [0:0]
:VYATTA_PRE_SNAT_HOOK - [0:0]
-A PREROUTING -j VYATTA_PRE_DNAT_HOOK
-A PREROUTING -d 10.127.224.22/32 -i eth0 -m comment --comment "NAT-5" -j DNAT --to-destination 10.127.225.21
-A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
-A POSTROUTING -s 192.168.138.0/24 -d 10.127.0.0/17 -o eth0 -m comment --comment "NAT-1" -j LOG --log-prefix "[NAT-1-MASQ] "
-A POSTROUTING -s 192.168.138.0/24 -d 10.127.0.0/17 -o eth0 -m comment --comment "NAT-1" -j MASQUERADE
-A POSTROUTING -s 10.127.225.21/32 -o eth0 -m comment --comment "NAT-6" -j SNAT --to-source 10.127.224.22
-A POSTROUTING -s 10.127.224.0/24 -d 10.127.0.0/17 -o eth0 -m comment --comment "NAT-10" -j RETURN
-A POSTROUTING -s 10.127.224.0/24 -d 10.127.226.0/24 -o eth0 -m comment --comment "NAT-11" -j RETURN
-A POSTROUTING -s 10.127.225.0/24 -d 10.127.16.0/20 -o eth0 -m comment --comment "NAT-12" -j RETURN
-A POSTROUTING -s 192.168.138.0/24 -d 10.127.16.0/20 -o eth0 -m comment --comment "NAT-13" -j RETURN
-A POSTROUTING -s 10.127.224.0/24 -o eth0 -m comment --comment "NAT-20" -j MASQUERADE
-A POSTROUTING -s 192.168.138.0/24 -o eth0 -m comment --comment "NAT-22" -j MASQUERADE
-A VYATTA_PRE_DNAT_HOOK -j RETURN
-A VYATTA_PRE_SNAT_HOOK -j RETURN
COMMIT

Heres the route config of the windows vpn client.
Code:
IPv4-Routentabelle
===========================================================================
Aktive Routen:
    Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0    192.168.254.1  192.168.254.174    20
          0.0.0.0        128.0.0.0    192.168.138.1    192.168.138.3    30
    somewhere  255.255.255.255    192.168.254.1  192.168.254.174    20
        127.0.0.0        255.0.0.0  Auf Verbindung        127.0.0.1    306
        127.0.0.1  255.255.255.255  Auf Verbindung        127.0.0.1    306
  127.255.255.255  255.255.255.255  Auf Verbindung        127.0.0.1    306
        128.0.0.0        128.0.0.0    192.168.138.1    192.168.138.3    30
    192.168.138.0    255.255.255.0  Auf Verbindung    192.168.138.3    286
    192.168.138.3  255.255.255.255  Auf Verbindung    192.168.138.3    286
  192.168.138.255  255.255.255.255  Auf Verbindung    192.168.138.3    286
    192.168.254.0    255.255.255.0  Auf Verbindung  192.168.254.174    276
  192.168.254.174  255.255.255.255  Auf Verbindung  192.168.254.174    276
  192.168.254.255  255.255.255.255  Auf Verbindung  192.168.254.174    276
        224.0.0.0        240.0.0.0  Auf Verbindung        127.0.0.1    306
        224.0.0.0        240.0.0.0  Auf Verbindung  192.168.254.174    276
        224.0.0.0        240.0.0.0  Auf Verbindung    192.168.138.3    286
  255.255.255.255  255.255.255.255  Auf Verbindung        127.0.0.1    306
  255.255.255.255  255.255.255.255  Auf Verbindung  192.168.254.174    276
  255.255.255.255  255.255.255.255  Auf Verbindung    192.168.138.3    286
===========================================================================

zhjim 06-06-2012 01:24 AM
The solutions to my problem was to setup another tunnel who had the subnet of the VPN Clients as the configuration.
Maybe some NAT'ting would also helped.


All times are GMT -5. The time now is 05:35 PM.