-   Linux - Security (
-   -   VPN blocks internet access from laptop (

cmisip 07-12-2003 02:35 PM

VPN blocks internet access from laptop
I have a lan with network connected to a router DI 614+ which is connected to a cable modem. All my machines are connected to the DI 614+ either via cable or wirelessly. There is only one ethernet interface on each of the machines (except the laptop but I only use eth1 there).
I wanted to increase the security of my laptop's wireless connection to the rest of my network so I setup a vpn from it to one of my other machines in the same network (which houses my data). While it seems to work and I am able to access the other machine on the network via the vpn tunnel, I cannot seem to access the internet from the laptop anymore (well, I can access and do searches with it but the other urls will not resolve, even the links that google returns). If I have ipsec disabled on the laptop, then I can access the internet without problems. This is weird because I think either all dns resolution should work or they should all fail.
There is one message from ipsec_setup when I start my connection : Warning :changing route filtering on eth1 (changing /proc/sys/net/ipv4/conf/eth1/rp_filter from 1 to 0). I dont know if that is significant.

I would appreciate any help

Thoreau 07-13-2003 04:21 AM

You are currently routing through your VPN server boxes local cached DNS. You will need to set the freeswan vpn server(local box) to be a DNS server or to allow forwarding of DNS routing via the VPN server config itself. You are connected directly to your box and only your box.

The routing paths/procesesses are determined by what your box serves and by what freeswan server allows to route in/out. Security via wireless at VPN level is hard to do. There is a reason why companies use rotating keys and 128-bit RC5 hardware encryption instead of straight software VPN. It's a headache. But, if you can do it, you've just saved yourself conservatively 8K USD.

cmisip 07-13-2003 04:05 PM

Thanks. I sort of figured it out. I think you are right, It was probably cache that I was browsing. Anyway. I was trying to increase the security of my 802.11b connection to the rest of my network. It is a machine to a machine connection in the same subnet both connecting to a D link router 614+ one via wired ethernet(mymythtv), the other via wireless(mylaptop). My router is I have in the wired machine /etc/ipsec.conf

conn road-warrior
left= #Left is local which is mymythtv
leftsubnet= #subnet declaration
leftid=@mymythtv #name of this server, no dns queries
leftrsasigkey=yyyyyyy #this is the public key of mymythtv
leftnexthop= #nothing here, no router in between
right= #right is remote which is mylaptop
rightsubnet= #nothing here
rightid=@mylaptop #name of laptop, no dns queries
rightrsasigkey=xxxxxx #this is the public key of mylaptop
rightnexthop= #nothing here, no router in between
auto=add #add this configuration but dont start it automatically

And on the wireless machine /etc/ipsec.conf
conn road-warrior
left= #left is local which is the laptop
leftid=@mylaptop #name of laptop, no dns querieswith@
leftrsasigkey=xxxxxxxx...... #this is the public key of mylaptop
leftnexthop= #leave blank, there is no router between
right= #right is remote which is mymythtv
rightsubnet= #mylaptop is allowed to access
rightid=@mymythtv #name of server, no dns queries with@
rightrsasigkey=yyyyyyy...... #this is the public key of mymythtv
rightnexthop= #leave blank, there is no router between
auto=add #add this configuration but dont start it automatically

I was able to bring up the vpn tunnel. When I looked at the routing on mylaptop:

Destination Gateway Genmask Flags Metric Ref Use Iface UG 0 0 0 ipsec0 * U 0 0 0 ipsec0 * U 0 0 0 eth1 * U 0 0 0 lo
default UG 0 0 0 ipsec0 UG 0 0 0 ipsec0
default UG 0 0 0 eth1

Therefore, internet packets are ending in So I decided to test this by enabling ip_forwarding in mymythtv. And that did the trick. Mylaptop now has internet access throught the vpn tunnel.
However I have another question. Looking at the output of tcpdump, I saw that there are ESP packets coming from mylaptop to mymythtv but not from mymythtv to mylaptop. Is this a problem? Can VPN encryption be only one way in the tunnel? Is this even possible or is all traffic in either direction protected in a VPN tunnel? Is my tunnel even setup correctly? Thanks.

cmisip 07-13-2003 09:47 PM

I figured it out. My configuration was subnet to host. I needed it to be host to host. I did this by omitting the leftsubnet in mymythtv and rightsubnet in mylaptop. Esp now works in both directions. The VPN tunnel is working. I added forwardcontrol=yes in mymythtv's ipsec.conf so that it turns ipv4 forwarding when ipsec is started and turns it off when it is stopped. Now I have a secure wireless 802.11b connection between mymythtv and mylaptop. Thanks.

cmisip 07-13-2003 11:49 PM

And now I managed to get it working with shorewall. I can finally sleep.

cmisip 07-15-2003 10:51 PM

looking at the output of tcpdump, I notice that ESP encryption only happens when the source and destination of ip packets is excatly the endpoints of the tunnel. The docs stated this as well, but I had hoped that since mymythtv is ip forwarding packets to the router (to go to the internet), then the ip packets will be encrypted leaving the laptop and decrypted at mymythtv prior to being sent to the router. It looks like the only way to secure all wireless communication from the laptop is to make mymythtv the endpoint of all packets that need to go to the internet which means configuring it as an IP masquerade server. Is there a way to setup a vpn tunnel from any machine in the lan to the router ( a d link 614+)? Or is that a stupid question? Any thoughts? Thanks

ckone 07-16-2003 05:33 AM

I hope your aware that this product FreeS/Wan already posted at there website the fact that Airjack can break down this security level of protection....

I figured this out bye reading other post on the Network forum about this same product...

Well good luck....



All times are GMT -5. The time now is 08:20 PM.