[wellylug] OT: VPN howto
Pete Black
pete at marchingcubes.com
Thu Mar 24 22:37:40 NZST 2005
You need a route specifying the VPN firewall as the gateway to the
'internal' network on the client - this should be setup by the IPSEC
client, but check it anyway, and you also need to ensure that the VPN
client's network card and the remote 'internal' subnets are different,
or packets will get sent out eth0 (192.168.0.x) instead of
default-gatewayed through the VPN router (to reach internal subnet
192.168.0.x).
The machines on your internal network will also need to gateway (or
otherwise route) through the server that handles the VPN in order to
reply to connections made from that IP range. That is, ensure that
packets sent from the internal network to the IP address block
specified in your roadwarrior server config actually end up getting
routed to ipsec0 on your VPN server. If the VPN server is the default
gateway, this shouldn't be a problem.
I would suspect an ip range mismatch e.g. client internal == server
internal or a misconfiguration in the ipsec.conf causing incorrect
routes to be set on the server - it should be possible to manually
enter routes once the connection is established. Also ensure you are
not firewalling packets to/from the ipsecX interfaces in the FORWARD
table.
Those would be the most common issues i would look at when
troubleshooting.
Let me know if you need more help
-Pete
> Please excuse the off-topic nature of this post. This has a tenuous
> link with Linux in that my network servers run Debian. Trouble is I
> can't access them remotely through the VPN I've set up.
>
> The firewall is IPCop1.4 and on it I've configured a roadwarrior VPN
> using PSK between IPCop and a laptop running XP SP2. I followed
> roughly followed the instructions at:
> http://www.ipcop.org/1.2.0/en/vpn/html/
>
> I can establish a VPN connection using ipsec.exe. I can ping the
> firewall's internal IP address. I can ssh to the firewall using PuTTY
> through the VPN (external ssh access is blocked). Trouble is I can't
> access anything else within my home network.
>
> I expect the next step is to set up some appropriate routing but
> search as I may I can't find an appropriate howto. Anyone been here
> done that?
>
> Rob Stockley
>
>
> --
> Wellington Linux Users Group Mailing List:
> wellylug at lists.wellylug.org.nz
> To Leave: http://lists.wellylug.org.nz/mailman/listinfo/wellylug
More information about the wellylug
mailing list