Network configuration
 

Hi,
I am Raghava, currently working on Fedora.
My application has to contact a remote server, accessible through VPN.
VPN connection is successful.
Before VPN connection is initiated, I did the following:
ifconfig em1:0 10.223.102.254 netmask 255.255.255.0 up
and then started the VPN and connection is successful.
Now to ping the destination, I did in the following way:
ping -I 10.223.102.254 10.123.102.1
which is working fine.
But when I do like this:
ping 10.123.102.1
it is not reaching the destination.
To contact the remote server, I need to contact by the IP address (either through application programme or in web browser). But I am not able to contact because 10.123.102.1 is not reachable directly.
Can you please suggest any settings do I need to do at my system.
Please let me know if you need any additional information.

Thanks and Regards
Raghav

What sort of VPN service are you using? And why would you need to set up an alias (em1:0) before activating the VPN tunnel?

The fact that "ping" doesn't work while "ping -I <address>" does, suggests that the ping command normally chooses an interface different from the one you specified with "ping -I", which in turn suggests duplicate or overlapping IP subnets.

How is your system configured with regards to IP addresses and subnet masks? What's the output of ifconfig -a and route -n?

linux NIC configuration - reply
 

Hi,
Thank you for the reply.
I am using openvpn.
em1:0 is needed to connect to remote server. em1 is used for internet connection.

Output of ifconfig -a
em1 Link encap:Ethernet HWaddr D4:BE:D9:74:1E:B1
inet addr:10.132.7.11 Bcast:10.132.7.255 Mask:255.255.254.0
inet6 addr: fe80::d6be:d9ff:fe74:1eb1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5830 errors:0 dropped:0 overruns:0 frame:0
TX packets:4288 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4747989 (4.5 MiB) TX bytes:630377 (615.6 KiB)
Interrupt:20 Memory:f7e00000-f7e20000

em1:0 Link encap:Ethernet HWaddr D4:BE:D9:74:1E:B1
inet addr:10.223.102.254 Bcast:10.223.102.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:20 Memory:f7e00000-f7e20000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1200 (1.1 KiB) TX bytes:1200 (1.1 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.23.1.6 P-t-P:10.23.1.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

output of route -n

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.23.1.1 10.23.1.5 255.255.255.255 UGH 0 0 0 tun0
10.23.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.223.102.0 0.0.0.0 255.255.255.0 U 0 0 0 em1
10.132.6.0 0.0.0.0 255.255.254.0 U 1 0 0 em1
10.123.0.0 10.23.1.5 255.255.0.0 UG 0 0 0 tun0
0.0.0.0 10.132.6.1 0.0.0.0 UG 0 0 0 em1

Please let me know if you need any more details.

Thanks and Regards
Raghav

Execute following command from your terminal window and check if it works for you or not.

route add -host 10.123.102.1 dev em1:0

Regards,
Tabraiz

Network Configuration
 

Hi,
Thank you for your suggestion.
I did the same, but not destination is not reachable.
Details:
PING 10.123.102.1 (10.123.102.1) 56(84) bytes of data.
From 10.223.102.254 icmp_seq=2 Destination Host Unreachable
From 10.223.102.254 icmp_seq=3 Destination Host Unreachable
From 10.223.102.254 icmp_seq=4 Destination Host Unreachable.

Can you please suggest any other step to do.

Thanks and Regards
Raghav

Hello,

You've moved one step forward, your destination IP now hitting the right interface;

1. Can you pls check if 10.123.102.1 is up and running?
2. Your 10.223.102.254 is allowed/trusted at far end (i.e. 10.123.102.1) to send requests? It seems that you're not trusted on far end side.
3. Can you enable Wireshark and capture packets of your requests on both sides (i.e. 10.123.102.1/10.223.102.254)?
4. Also pls provide output of "iptables -L -v".

Regards,
Tabraiz

I thought you said the remote server was at the end of an OpenVPN tunnel?

You say you want to reach 10.123.102.1 using a VPN connection, but at the same time you add 10.123.102.254 as an alias to em1 with a netmask of 255.255.255.0. The netmask means 10.123.102.1 must be in the same local network as em1.

10.123.102.0/24 is either local or at the end of the tunnel. Which is it? Because right now you've explicitly told your machine that 10.123.102.0/24 is directly connected to em1.

Dear Olmy: Please note correction in IP assigned to em1:0 interface, it's 10.223.102.254 and not 10.123.102.254. Please share your comments after considering this change.

Regards,
Tabraiz

Network configuration
 

Hi Tabraiz,

Here are the answers for the questions:
1. Can you pls check if 10.123.102.1 is up and running?
After adding: route add -host 10.123.102.1 dev em1:0
I am not able to reach 10.123.102.1 in either ways: ping or ping -I.
If I delete that by route del -host 10.123.102.1 dev em1:0
then I am able to ping with ping -I but not with ping.

2. Your 10.223.102.254 is allowed/trusted at far end (i.e. 10.123.102.1) to send requests? It seems that you're not trusted on far end side.
Yes the remote server System Administrator told that the ip at my side should be 10.223.102.254 which is configured as part of vpn settings.
3. Can you enable Wireshark and capture packets of your requests on both sides (i.e. 10.123.102.1/10.223.102.254)?
Please find the captures attached. with direct IP and with interface.
Please remove the extention .log for those files to open in wireshark.
4. Also pls provide output of "iptables -L -v".
output:
Chain INPUT (policy ACCEPT 86074 packets, 21M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 19445 packets, 2424K bytes)
pkts bytes target prot opt in out source destination

Can you please suggest any other settings need to be done my side.

Thanks and Regards
Raghav

Hi,

I checked both trace files but unfortunately they are of no use. I cant see any packet destined towards 10.123.102.1 in them.

As far as I understood your objective, you're trying to reach destination IP 10.123.102.1 with Source IP as 10.223.102.254. Am I right? If yes then please follow below steps;

1. service iptables status (if status is "not running" go to step 2)/(if running, it will give some o/p & u shud move to step 3 then)
2. service iptables start.
3. iptables -t nat -A POSTROUTING -d 10.123.102.1 -j SNAT --to-source 10.223.102.254
4. service iptables save

Execute these steps and share your results.

***Please note that all changes prior to these should be removed (like "route add -host 10.123.102.1 dev em1:0" etc). Best of luck.

Regards,
Tabraiz

Ah, I see. That does change things. I see the correct information is indeed listed in your other post with the output from ifconfig -a.

Since the ping command succeeds when you choose the source address/interface manually, the problem is related to the source address (or the return route, depending on your point of view).

When sending locally generated traffic through any interface, the IP stack will always select the address of the outgoing interface as the source address, unless you can somehow manually override that default, as one can with the ping "-I" switch.

Try this:
Edit: I see Tabraiz sort of beat me to it, but I would argue that the -o option is better suited in this case.

Hi Tabraiz,
Yes It worked. I followed the steps as suggested by you (iptables were stopped).
Now I am able to ping with the ip address (without interface).
This is really a great help.
Just have one small doubt in continuation to that.
Do I need to execute these commands for every system reboot or it will be saved permanently.

Thanks and Regards
Raghav

Hi Olmy,
I tried the command as suggested by you.

iptables -t nat -A OUTPUT -o tun0 -j SNAT --to-source 10.223.102.254

But got the following message:
iptables: Invalid argument. Run `dmesg' for more information.
so when I changed the command to
iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 10.223.102.254
no error message and I am able to ping to the IP address.
Thank you very much for your support.

Best Regards
Raghav

My mistake, that should teach me to test stuff rather than just post from memory.

Glad to hear you solved the problem!

Dear Raghav,

Point 4 (service iptables save) ensures that you don't need to do this every time system is rebooted. Cheers!

Dear Olmy,

I would humbly disagree with your argue that -o option is better suited here :) reasons for that are;

1. -o will only be effective on tun0 interface whereas -d option which I've chosen is not bonded to any specific interface and will always be effective regardless of any routing change takes place in future.
2. All traffic passes through tun0 interface will have source IP changed to 10.223.102.254 whereas -d ensures that source IP is only modified for a specific IP 10.123.102.1 in this case.

Kindly have your say on these points because you're a senior pro of-course and I might be learning many things from you in future.

Thanks,
Tabraiz