LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   VPN Traffic on Windows (https://www.linuxquestions.org/questions/linux-networking-3/vpn-traffic-on-windows-303037/)

bLaDe 03-18-2005 12:50 AM

VPN Traffic on Windows
 
Hi Guys,
I have a strange problem which thus far I haven't managed to resolve despite many attempts.

At work we have a VPN setup at work which uses vtund. The fedora core 3 box connects to the VPN and I am able to ping any machine as if I were there in the office but from the windows machine it simply won't ping anything (request timed out). The bad part is I need the windows machines to be able to access the VPN as the applications I need to run only work with windows.

The work VPN is setup to run on 172.17.10.0/255.255.255.0 and my home network is setup on 172.17.12.0/255.255.255.0. I have an ADSL router/modem which I have allowed all traffic from 172.17.10.0/255.255.255.0 and IP address is 172.17.12.254.

My iptables which is located here I am thinking is OK but by all means make any suggestions as appropriate.

Any suggestions would be great.

Thanks

Cheers

JordanH 03-18-2005 10:50 PM

How many NICs do you have? What does your routing table look like?

While you are testing, take your firewall out of the equation. Run this:
#!/bin/bash
# This will clear your firewall and enable forwarding
# DON"T LEAVE THIS RUNNING!!
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
for table in filter nat mangle
do
/sbin/iptables -t $table -F
/sbin/iptables -t $table -X
/sbin/iptables -t $table -Z
done
# End of Script

bLaDe 03-19-2005 01:13 AM

I am happy to say this would appear to be a routing, still though I am a little uncertain how I solve this one.

Reason I say this when I move the windows machines to the default gateway of 172.17.12.1 (linux box) instead of 172.17.12.254 (router / modem) the VPN side of things works without any firewall changes.

The output from my routing table is as follows:
Destination Gateway Genmask Flags Metric Ref Use Iface
172.25.254.8 * 255.255.255.255 UH 0 0 0 tun1
172.17.12.0 * 255.255.255.0 U 0 0 0 eth1
172.17.10.0 172.25.254.8 255.255.255.0 UG 0 0 0 tun1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default home.gateway 0.0.0.0 UG 0 0 0 eth1


I have 2 nics but only 1 is being used since I moved to ADSL.

JordanH 03-19-2005 05:43 PM

Let me get this straight, your original config had you connecting your linux box directly to the adsl modem (through a hub/switch?) and you also connected directly to your adsl modem through your windows box. If this is correct, that means your windows machine was never passing through your linux machine and hence, never being routed through your tunnel.

As for your 2 NICs, I have a similar setup at home; ADSL, Linux router and serveral machines internally. I suggest you review how you have yours configured because it should look like this:
ADSL --- Linux --- Switch/Hub --- Internal LAN machines
Where you have it configured
ADSL --- Switch/Hub ------- Linux Machine
.................................... ^--Windows machine

[edit: *arg* my text diagram didn't work out. :rolleyes: ]

bLaDe 03-24-2005 02:21 AM

Sorry about the delay, I've been fairly busy and haven't had a chance to reply until now.

I originally had cable which was a simple cable modem which went into eth0 using dhcp from the cable provider and then eth1 went into a hub off to all my other computers connected via it including an access point which worked flawlessly.

Now I have an adsl router/modem and all the machines hanging off of it as you demonstrated in your text picture which seems to be causing problems.

I agree, I am going to rethink how I'm going to do this, I'm thinking simply using DMZ on the router to forward all ports to the linux box, from there control iptables to decide on which way the traffic goes from there.

JordanH 03-24-2005 03:32 PM

Quote:

Originally posted by bLaDe
Sorry about the delay, I've been fairly busy and haven't had a chance to reply until now.
Not to worry, I'm swamped too.

Quote:

Originally posted by bLaDe
I originally had cable which was a simple cable modem which went into eth0 using dhcp from the cable provider and then eth1 went into a hub off to all my other computers connected via it including an access point which worked flawlessly.
If you plan on using your linux machine as a firewall, router and vpn (good plan) then this is the way to go.

Quote:

Originally posted by bLaDe
Now I have an adsl router/modem and all the machines hanging off of it as you demonstrated in your text picture which seems to be causing problems.
This makes sense because instead of routing through the linux box to the adsl modem, you were going directly out through the modem and missing the VPN tunnel all together.

Quote:

Originally posted by bLaDe
I agree, I am going to rethink how I'm going to do this, I'm thinking simply using DMZ on the router to forward all ports to the linux box, from there control iptables to decide on which way the traffic goes from there.
If I read this correctly, you want to forward all ports on the DMZ into your internal LAN? This seems to defeat the purpose of a DMZ... Will the router let you do that? Secondly, do you want to do that? If I recall, your firewall forwarded all forwarding requests (good, bad or ugly) directly into your VPN tunnel... this would effectively route any attacker through the tunnel. I could be wrong here and it may not be possible, but that was my initial gut feeling. I'd use the KISS principle and go with your option #1 above which seems to be much safer and easier to configure.

edit: removed the unintential BOLD tags


All times are GMT -5. The time now is 12:02 PM.