PPTP Reverse(synchronous) Tunnel
 

Hello All!!

We're trying to open up a branch office and thus want to extend our local intranet. We're going to do this by getting a Fedora Core 5 router to connect to a WSBS VPN server.

I have Windows Small Business Server 2003 (i know i know) that's currently acting as a VPN / DNS / Primary Domain Controller / and DHCP server. It's IP is 192.168.1.2 and thus on the 192.168.1.0 subnet, its name is pdc-01. There is also a Fedora Core 5 router with an IP of 192.168.1.1

I have a Fedora Core 5 Server running at a remote location that has a PPTP client running on it. This remote network is on the subnet 192.168.2.0 and the router has the ip 192.168.2.1 its name is pdc-02

When pdc-02 activates it's PPTP client and connects to pdc-01 it routes all traffic destined for 192.168.1.0 through the VPN tunnel. Remotely everything works flawlessley, I even got samba working as a WINS proxy to pdc-01, but within the primary office network I cant connect to 192.168.2.1 or anything on that subnet. I can ping and connect to the remote IP for the PPTP client, which is 192.168.1.13.

Now I'm assuming that this has to do with my routing rules. In the central office i've told my router to send all requests for 192.168.2.0 to 192.168.1.13. At which point the request would sent to pdc-02, the problem is pdc-02 doesnt route or respond to those requests properly and I dont understand why.


Here are my VPN related IPTABLES rules on pdc-02

iptables --insert OUTPUT 1 --source 0.0.0.0/0.0.0.0 --destination
192.168.1.0/24 --jump ACCEPT --out-interface 'ppp0'
iptables --insert INPUT 1 --source 192.168.1.0/24 --destination
0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface 'ppp0'
iptables --insert FORWARD 1 --source 0.0.0.0/0.0.0.0 --destination
192.168.1.0/24 --jump ACCEPT --out-interface 'ppp0'
iptables --insert FORWARD 1 --source 192.168.1.0/24 --destination
0.0.0.0/0.0.0.0 --jump ACCEPT
iptables --table nat --append POSTROUTING --out-interface 'ppp0' --jump
MASQUERADE
iptables --append FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump
TCPMSS --clamp-mss-to-pmtu

I'm curious... do you mean you're routing traffic with iptables? It seems like the easiest way would be to just add a line to the routing tables on 192.168.1.1

For instance, ip route add 192.168.2.0/24 via 192.168.1.13 executed on 192.168.1.1 should result in something like:
oh... also, IP Forwarding needs to be enabled on pdc-02. You can enable it with sysctl -w net.ipv4.ip_forward=1

If you're still having problems after that, it might be something else, but your iptables rules look fine to me. Also, if any of those commands work, they're just temporary (until you reboot). You can always put them in an rc script, though.

Ya totally, in post above it states in the third paragraph that I've already done this. Now the router at 192.168.1.1 send all traffic destined for 192.168.2.0/24 to 192.168.1.13 but when the traffic gets to 192.168.1.13 the second router doesnt send it to 192.168.2.0/24 which is the second router's eth1.

and thats the prob: when the traffic gets to 192.168.1.13 (which is a router) the router doesnt send it to 192.168.2.0/24


OH HEY, i just thought of something, what if i made a 'one-way' bridge using brctl. you think that would work? any one know?

the bridge would be between ppp0 and eth1

also to note as well when im logged into 192.168.1.1 and try to ping 192.168.2.1 i get this response

From 192.168.1.2: icmp_seq=0 Redirect Host(New nexthop: 192.168.1.13) so this tells me that 192.168.1.2 knows to send 192.168.2.0/24 traffic 192.168.1.13, thus 1.13 is the problem is it not?