VPN is up but ping uses defaultroute

saavik · 12-09-2008, 08:50 AM

Hello!

I have my VPN up everything is working fine, but my ping to the other side is not going trouw the tunnel but unencryped trouw the default gateway.

How can I force the ping to use the Tunnel ?

My routing shows a default GW and the routing via the VPN which comes up with the vpn connection.

What is going wrong ?

Code:

# route -n
Kernel IP routing table
Destination-------Gateway------Genmask------Flags------Metric------Ref------Use Iface
149.250.xx.xx------192.168.A.A------255.255.255.255------UGH------0------0------0------eth3
149.250.xx.yy------192.168.A.A------255.255.255.192------UG------0------0------0------eth3
192.178.x.x------192.168.B.B------255.255.255.0------UG------0      0        0 eth3
192.168.0.0------0.0.0.0------255.255.255.0------U------0------0        0 eth3
192.181.0.0------0.0.0.0------255.255.255.0------U------0------0        0------eth3
169.254.0.0------0.0.0.0------255.255.0.0------U------0------0------0------eth3
10.0.0.0------192.168.B.B------255.0.0.0------UG------0------0------0------eth3
127.0.0.0------0.0.0.0------255.0.0.0------U------0------0------0------lo
0.0.0.0------192.168.A.A------0.0.0.0------UG------0------0------0------eth3

EhabAhmed · 12-09-2008, 03:24 PM

could clarify your configuration.

saavik · 12-10-2008, 01:47 AM

| PC 1 |-------| Gateway |-------| PC 2 |

PC 1
====
Nic1 IP Address A
Nic1:0 IP Address B (virtual)

Gateway
=======
Nic1 IP Address A

Now VPN is build up between the PC 1 - NIC1:0 throuw the Gateway to PC 2 which works perfekt, but if i ping pc2 not the VPN connection is used but the ping uses NIC1, goes throuw the Gateway and reaches pc2.

I would like to ping throuw the VPN.

EhabAhmed · 12-10-2008, 02:45 PM

whats the output of
netstat -rn

jschiwal · 12-10-2008, 02:52 PM

It looks like all of your routes are using the same interface. If the VPN running on the host or is it a separate device on the network. If the latter then check if you should be using a different interface (such as eth0:1 or tun0) instead. If the former, then the gateway for subnet on the other end should be distinct. There is no need to hide the details of private addresses.

Please enclose the structured output of commands like route in [ code ] [ /code ] blocks instead of quote blocks. It will be readable then.

saavik · 12-11-2008, 02:48 AM

Code:

 # netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
149.xx.xx.20  192.168.0.1     255.255.255.255 UGH       0 0          0 eth3
149.xx.xx.64  192.168.0.1     255.255.255.192 UG        0 0          0 eth3
192.178.0.0     192.168.0.2     255.255.255.0   UG        0 0          0 eth3
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth3
192.181.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth3
169.xxx.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth3
10.0.0.0        192.168.0.2     255.0.0.0       UG        0 0          0 eth3
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth3

ledow · 12-11-2008, 03:09 AM

Er, yeah, Ping will go through eth3 with that setup.

What you are doing with the :0's (IP aliasing) isn't magic - you are making one ethernet card run as two (so your "private network" isn't in fact private at all, you're just using two IP allocations on the same network - both eth3 and eth3:0 are recieving the same traffic and sending it on the same cable). Because they are both connected to the same cable, so the pings will go out on the same cable. Routing on this sort of setup is a bit of a waste of time, because nothing useful is really happening - you're splitting traffic into two lanes and then rejoining them later at the gateway.

Aside from that fact you've told *everything* to go out through eth3 (rather than, I assume, eth3:0).

Rule 1: Don't roll your own routes if you don't get routing.
(a corollary is "Don't roll your own firewall if you don't get IP")

saavik · 12-11-2008, 03:53 AM

The Pc is not directly connected to the Internet.

It uses a Firewall/Gateway to build up a vpn connection.

The Pc does not need a second Nic, as i can not leave the DMZ without connection the internal gateway which would not allow any connections.

So "securty" is not the point in this config.

I just want one pc in the dmz using the gateway (ext) to build up a vpn and then send data throuw it.

On the other hand you are absolutely right, routing does not make any sense in the view of securety on one nic as physically the data will use the same cable.

What i tought was that i can force the ping to use the vpn tunnel via routing on the eth3:0 which does not make any physical difference but maybe a logical ?

I do not want any sort of seperation of the traffic on Nic level.

jschiwal · 12-11-2008, 09:55 AM

I think that you want to use the device name "eth3:0" in your route command for traffic going to a subnet that "eth3:0" is on. All of the routes you have posted are for a device on the 192.168.0.0 network.

Your route command has a subnet that is destined for the default gateway. You only need routes for other subnets when the gateway used isn't the default.

Code:

192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth3
192.181.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth3
169.xxx.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth3
10.0.0.0        192.168.0.2     255.0.0.0       UG        0 0          0 eth3
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth3

The first entry is correct. It defines the route for the subnet you are on. The second entry uses the default gateway, so you don't need it.
The third entry is your link local network. You don't need to disquise 169.254.0.0. Everyone has it in their hosts file and route.
The forth entry is OK. A different gateway is used. The last two entries are normal.

However your posted route is for routing traffic through two gateways without any indication of a VPN or an aliased NIC.

I'm guessing that this host route entry is for the host in the DMZ.

Code:

149.xx.xx.20  192.168.0.1     255.255.255.255 UGH       0 0          0 eth3

If this is the case and the 192.168.0.1 gateway is the IP address of your VPN device, then this is the one that should use "eth3:0".

With only one IP address being used for the VPN, I think you could also use IP tables to redirect traffic to eth3:0.

If you do use just one interface, you may want to use a device alias for the reason of tightening up your firewall on your host. You are using a VPN to bypass the firewall, so you need to assume that responsibility on your own firewall.

saavik · 12-12-2008, 01:40 AM

First thanks for your answer.

I allready tried to route to eth3:0 but it did no make any change.

What iptables roule do you suggest ?