VPN thorugh iptables firewall

khalo · 10-23-2009, 12:15 PM

Hi everybody, thanks a lot for reading this. Recently my company started using a VPN hardware based solution provided by a third company the ISP. The VPN is implemented using Cisco Routers 857. My company has a remote office, so the VPN communicates our main office with the remote office (2 Cisco 857, one for each office).
At the main office we have a Linux (Fedora Core 8) Host working as e-mail server (imap/pop3), proxy server (squid) and firewall (iptables), it´s also the only host connected directly to the router (Cisco 857), all the hosts in the main Office LAN are connected to this Linux Host. At the remote office all the hosts are conected directly to the router ((Cisco 857)).
The ISP made all the configuration, but the result it´s not what i was waiting: the remote office can't access the main office´s LAN, but can only access the Linux Host. The main office can access the remote office´s LAN properly.
I asked the ISP about this issue and they said there is a wrong/missing configuration in my Linux Host, they said i should brige the interfaces. After doing this i tried accessing my main office´s LAN from a remote office host but still not working, i also tried the tracert command (under Windows XP) in the same machine, but the result didn´t seem correct to me.
I´m attaching an image showing my topology, the tracert output and the iptables rule i used.

Topology:
http://img260.imageshack.us/img260/3564/vpnac.jpg

Tracert output command:

(at a remote office Winwdows host)\tracert 192.168.1.2

Tracing route to 192.168.1.2 over a maximum of 30 hops

1 79 ms <1 ms <1 ms 10.10.20.10
2 126 ms 126 ms 134 ms 172.17.137.1
3 63 ms 141 ms 140 ms 192.168.1.2

(at a remote office Winwdows host)\tracert 10.10.10.10

Tracing route to 10.10.10.10 over a maximum of 30 hops

1 79 ms 79 ms 79 ms 10.10.20.10
2 * * * Request timed out.
3 * * * Request timed out.
4 119 ms 120 ms 123 ms 10.111.0.93
5 40 ms 120 ms 119 ms 10.7.1.22
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
... (same message from line 9 to 28)
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.

Rule used:
iptables -A FORWARD -s 10.10.20.0/24 -d 10.10.10.0/24 -j ACCEPT

How can i solve this issue?, does it depend on me or the ISP?. Thanks in advance.

janoszen · 10-25-2009, 03:07 AM

You do have your routes configured on the firewall AND your Cisco, right? Do a tcpdump on the firewall to see, if packets are getting through and paste a dump of your routing tables on the Cisco and the firewall please.