LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-05-2012, 05:46 AM   #1
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
VPN Client can't get to IPSec connected network


Hi folks,

I'm having a problem with VPN Clients connecting to a host all fine but they can't connect to other host that are connected through IPSec tunnels.
Code:
VPN-Client =====vpn=====serving host=====ipsec=====other_host
(192.168.138.3)       (192.1268.138.1)            10.127.48.1
                      (10.127.224.101)
                      (10.127.225.101)
[VPN Client]
So the connecting client has the set-default-route option set so that all traffic to unkown location go through the vpn tunnel. I can ping and connect to services on the remote site of the vpn-tunnel all fine. (192.168.138.1, 10.127.224.101, 10.127.225.101).

[Serving Host]
From the serving host I can ping and connect in all directions (192.168.138.3, 10.127.48.1 external IP's)

[other host]
I can as well ping through the IPSec tunnel from 10.127.48.1 to the serving host.

[Problem]
The problem is I just can't go through the serving host to either site. I always get an "host unreachable" message when trying to ping. Which I interpret as the route from 192.168.138.0/24 to 10.127.48.0/24 is not allowed or accesible. ip neighb also shows the connection to 10.127.48.1 as failed and a tcpdump only shows the returning package.

To not make it easy at all there are numerous nat rules implied.
Maybe someone can give me a hint where to look for the show stopper. If I missed on any information I'l glady add them. Thanks in advance

Here the routes of the VPN Server with the ipsec tunnels
Code:
default via 10.127.225.1 dev eth0  proto zebra 
10.127.16.0/20 dev eth0  scope link  src 10.127.224.101 
10.127.36.0/24 dev eth0  scope link  src 10.127.224.101 
10.127.48.0/24 dev eth0  scope link  src 10.127.224.101 
10.127.224.0/24 dev eth2  proto kernel  scope link  src 10.127.224.101 
10.127.225.0/24 dev eth0  proto kernel  scope link  src 10.127.225.101 
10.127.226.0/24 via 10.127.224.1 dev eth2  proto zebra 
127.0.0.0/8 dev lo  proto kernel  scope link  src 127.0.0.1 
192.168.138.0/24 dev vtun0  proto kernel  scope link  src 192.168.138.1
NAT Rules
Code:
# Generated by iptables-save v1.4.10 on Tue Jun  5 12:43:14 2012
*nat
:PREROUTING ACCEPT [251:18399]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [692:52626]
:POSTROUTING ACCEPT [761:57685]
:VYATTA_PRE_DNAT_HOOK - [0:0]
:VYATTA_PRE_SNAT_HOOK - [0:0]
-A PREROUTING -j VYATTA_PRE_DNAT_HOOK 
-A PREROUTING -d 10.127.224.22/32 -i eth0 -m comment --comment "NAT-5" -j DNAT --to-destination 10.127.225.21 
-A POSTROUTING -j VYATTA_PRE_SNAT_HOOK 
-A POSTROUTING -s 192.168.138.0/24 -d 10.127.0.0/17 -o eth0 -m comment --comment "NAT-1" -j LOG --log-prefix "[NAT-1-MASQ] " 
-A POSTROUTING -s 192.168.138.0/24 -d 10.127.0.0/17 -o eth0 -m comment --comment "NAT-1" -j MASQUERADE 
-A POSTROUTING -s 10.127.225.21/32 -o eth0 -m comment --comment "NAT-6" -j SNAT --to-source 10.127.224.22 
-A POSTROUTING -s 10.127.224.0/24 -d 10.127.0.0/17 -o eth0 -m comment --comment "NAT-10" -j RETURN 
-A POSTROUTING -s 10.127.224.0/24 -d 10.127.226.0/24 -o eth0 -m comment --comment "NAT-11" -j RETURN 
-A POSTROUTING -s 10.127.225.0/24 -d 10.127.16.0/20 -o eth0 -m comment --comment "NAT-12" -j RETURN 
-A POSTROUTING -s 192.168.138.0/24 -d 10.127.16.0/20 -o eth0 -m comment --comment "NAT-13" -j RETURN 
-A POSTROUTING -s 10.127.224.0/24 -o eth0 -m comment --comment "NAT-20" -j MASQUERADE 
-A POSTROUTING -s 192.168.138.0/24 -o eth0 -m comment --comment "NAT-22" -j MASQUERADE 
-A VYATTA_PRE_DNAT_HOOK -j RETURN 
-A VYATTA_PRE_SNAT_HOOK -j RETURN 
COMMIT

Heres the route config of the windows vpn client.
Code:
IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0    192.168.254.1  192.168.254.174     20
          0.0.0.0        128.0.0.0    192.168.138.1    192.168.138.3     30
    somewhere  255.255.255.255    192.168.254.1  192.168.254.174     20
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
        128.0.0.0        128.0.0.0    192.168.138.1    192.168.138.3     30
    192.168.138.0    255.255.255.0   Auf Verbindung     192.168.138.3    286
    192.168.138.3  255.255.255.255   Auf Verbindung     192.168.138.3    286
  192.168.138.255  255.255.255.255   Auf Verbindung     192.168.138.3    286
    192.168.254.0    255.255.255.0   Auf Verbindung   192.168.254.174    276
  192.168.254.174  255.255.255.255   Auf Verbindung   192.168.254.174    276
  192.168.254.255  255.255.255.255   Auf Verbindung   192.168.254.174    276
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
        224.0.0.0        240.0.0.0   Auf Verbindung   192.168.254.174    276
        224.0.0.0        240.0.0.0   Auf Verbindung     192.168.138.3    286
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
  255.255.255.255  255.255.255.255   Auf Verbindung   192.168.254.174    276
  255.255.255.255  255.255.255.255   Auf Verbindung     192.168.138.3    286
===========================================================================

Last edited by zhjim; 06-05-2012 at 07:41 AM.
 
Old 06-06-2012, 01:24 AM   #2
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748

Original Poster
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
The solutions to my problem was to setup another tunnel who had the subnet of the VPN Clients as the configuration.
Maybe some NAT'ting would also helped.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPsec VPN connected - But cannot see other side blackfish Linux - Networking 1 08-24-2010 03:17 PM
Windoze client for IPsec VPN jimbo1954 Linux - Security 2 11-18-2006 02:11 PM
IPSec VPN Client on Ubuntu noorania Linux - Software 2 04-25-2006 05:32 PM
Linux VPN - IPSEC connection for client? jon3k Linux - Networking 2 12-08-2003 12:47 AM
IPSEC VPN client - IP Protocol ID 57 agaatje Linux - Networking 0 07-18-2001 02:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration